GrayCharlie is abusing compromised WordPress websites to silently load malicious JavaScript that pushes NetSupport RAT, typically adopted by Stealc and SectopRAT, through pretend browser updates and ClickFix lures.<\/p>\n

Insikt Group tracks GrayCharlie as a financially motivated menace actor overlapping with SmartApeSG, lively since mid\u20112023, and specializing in turning authentic WordPress websites into malware-delivery factors. <\/p>\n

The actor injects hyperlinks to externally hosted JavaScript into compromised pages, which then redirect guests to pretend browser-update pages or ClickFix-style social engineering <\/a>flows that in the end ship the NetSupport RAT. <\/p>\n

As soon as NetSupport is put in and linked to attacker\u2011managed C2 servers, GrayCharlie operators achieve distant entry for surveillance, file operations, and observe\u2011on payload supply, together with infostealer Stealc and distant entry malware SectopRAT.<\/p>\n

Insikt Group studies that GrayCharlie<\/a> operates a large, layered infrastructure footprint, closely targeting suppliers MivoCloud and HZ Internet hosting Ltd. <\/p>\n

This consists of devoted NetSupport RAT C2 servers, staging servers internet hosting the malicious JavaScript templates, and better\u2011tier programs used to manage campaigns, typically accessed by way of proxy companies.<\/p>\n

\"Overview — Overview of GrayCharlie clusters noticed in 2025<\/em> (Supply : Insikt Group).<\/figcaption><\/figure>\n<\/div>\n
The group\u2019s exercise stays constant throughout campaigns, with recurring use of the identical an infection chains, license keys, and TLS certificates patterns on its C2 infrastructure.<\/p>\n
**Faux Updates, ClickFix, and Regulation Agency <\/strong><\/h2>\n**Initially, GrayCharlie relied totally on pretend browser replace overlays, which seem tailor-made to Chrome, Edge, or Firefox and immediate customers to obtain a supposed replace package deal that’s truly a JavaScript pushed NetSupport installer<\/a>. <\/p>\n
The IP addresses related to the staging infrastructure are linked to web sites impersonating \u201cWiser College\u201d a fictional entity used to exhibit Wiser, a free Bootstrap HTML5 training.<\/p>\n
\n
$\"Website$
Web site impersonating \u201cWiser College\u201d<\/em> (Supply : Insikt Group). <\/figcaption><\/figure>\n<\/div>\n
The loader script launches through WScript, levels PowerShell, downloads and extracts the NetSupport shopper into places reminiscent of %AppData%, provides Registry Run keys for persistence, after which beaconing to GrayCharlie\u2011managed C2 servers. <\/p>\n
In 2025, the actor expanded to a ClickFix stream, the place compromised WordPress pages<\/a> show a pretend CAPTCHA that copies a PowerShell\u2011based mostly command to the clipboard and instructs customers to execute it utilizing the Home windows Run dialog, once more leading to NetSupport RAT set up and persistence.<\/p>\n
Most sufferer websites seem opportunistically compromised throughout many sectors, however Insikt Group additionally highlights a notable cluster of US legislation agency WordPress websites that started loading malicious JavaScript from GrayCharlie\u2011managed infrastructure round November 2025. <\/p>\n
Proof suggests these legislation agency websites might have been compromised through a provide\u2011chain vector involving a shared IT or advertising and marketing supplier, with SMB Crew cited as a probable avenue as a result of its branding and shared credentials surfacing across the time the malicious infrastructure grew to become lively. <\/p>\n
\n
$\" Website$
Web site of Gerling Regulation Harm Attorneys (high) and SMBTeam emblem (backside)<\/em> (Supply : Insikt Group). <\/figcaption><\/figure>\n<\/div>\n
Whereas GrayCharlie\u2019s final goals stay unclear, present telemetry factors to information theft, monetary achieve, and doubtlessly promoting or sharing entry with different menace actors, underlining the chance to authorized and different excessive\u2011worth targets.<\/p>\n
Mitigations<\/strong><\/h2>\n
Insikt Group advises defenders to aggressively block IP addresses and domains tied to NetSupport RAT, Stealc, SectopRAT, and different instruments utilized in GrayCharlie operations, and to deal with visitors to recognized\u2011compromised WordPress websites as excessive\u2011threat till remediated. <\/p>\n
The web page presents a pretend CAPTCHA that quietly copies a malicious command to the person\u2019s clipboard and instructs them to stick it into the Home windows Run dialog (Win+R).<\/p>\n
\n
$\"Fake$
*Faux Captcha<\/em> (Supply : Insikt Group). <\/figcaption><\/figure>\n<\/div>\n*Safety groups ought to deploy up to date YARA<\/a>, Snort, and Sigma guidelines to detect NetSupport parts, ClickFix\u2011model instructions, and GrayCharlie\u2019s JavaScript and PowerShell loader patterns, together with in historic logs. <\/p>\n
Further beneficial controls embody tightening e-mail and net filtering, monitoring for suspicious information exfiltration to recognized malicious infrastructure, and constantly ingesting new GrayCharlie menace intelligence sources to maintain detection and blocking insurance policies present.<\/p>\n
**Observe us on\u00a0**Google Information<\/a>,\u00a0 LinkedIn<\/a>, and\u00a0 X<\/a>\u00a0to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in\u00a0 Google<\/a>.<\/strong><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"
GrayCharlie is abusing compromised WordPress websites to silently load malicious JavaScript that pushes NetSupport RAT, typically adopted by Stealc and SectopRAT, through pretend browser updates and ClickFix lures. Insikt Group tracks GrayCharlie as a financially motivated menace actor overlapping with SmartApeSG, lively since mid\u20112023, and specializing in turning authentic WordPress websites into malware-delivery factors. The […]<\/p>\n","protected":false},"author":2,"featured_media":12087,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[7957,1497,216,6092,1538,1900,7958,7959,3852],"class_list":["post-12085","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-graycharlie","tag-hacks","tag-malware","tag-netsupport","tag-rat","tag-sites","tag-spreads","tag-stealc","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12085","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12085"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12085\/revisions"}],"predecessor-version":[{"id":12086,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12085\/revisions\/12086"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/12087"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Overview of GrayCharlie clusters noticed in 2025<\/em> (Supply : Insikt Group).<\/figcaption><\/figure>\n<\/div>\n
The group\u2019s exercise stays constant throughout campaigns, with recurring use of the identical an infection chains, license keys, and TLS certificates patterns on its C2 infrastructure.<\/p>\n
**Faux Updates, ClickFix, and Regulation Agency <\/strong><\/h2>\n**Initially, GrayCharlie relied totally on pretend browser replace overlays, which seem tailor-made to Chrome, Edge, or Firefox and immediate customers to obtain a supposed replace package deal that’s truly a JavaScript pushed NetSupport installer<\/a>. <\/p>\n
The IP addresses related to the staging infrastructure are linked to web sites impersonating \u201cWiser College\u201d a fictional entity used to exhibit Wiser, a free Bootstrap HTML5 training.<\/p>\n
\n
$\"Website$
Web site impersonating \u201cWiser College\u201d<\/em> (Supply : Insikt Group). <\/figcaption><\/figure>\n<\/div>\n
The loader script launches through WScript, levels PowerShell, downloads and extracts the NetSupport shopper into places reminiscent of %AppData%, provides Registry Run keys for persistence, after which beaconing to GrayCharlie\u2011managed C2 servers. <\/p>\n
In 2025, the actor expanded to a ClickFix stream, the place compromised WordPress pages<\/a> show a pretend CAPTCHA that copies a PowerShell\u2011based mostly command to the clipboard and instructs customers to execute it utilizing the Home windows Run dialog, once more leading to NetSupport RAT set up and persistence.<\/p>\n
Most sufferer websites seem opportunistically compromised throughout many sectors, however Insikt Group additionally highlights a notable cluster of US legislation agency WordPress websites that started loading malicious JavaScript from GrayCharlie\u2011managed infrastructure round November 2025. <\/p>\n
Proof suggests these legislation agency websites might have been compromised through a provide\u2011chain vector involving a shared IT or advertising and marketing supplier, with SMB Crew cited as a probable avenue as a result of its branding and shared credentials surfacing across the time the malicious infrastructure grew to become lively. <\/p>\n
\n
$\" Website$
Web site of Gerling Regulation Harm Attorneys (high) and SMBTeam emblem (backside)<\/em> (Supply : Insikt Group). <\/figcaption><\/figure>\n<\/div>\n
Whereas GrayCharlie\u2019s final goals stay unclear, present telemetry factors to information theft, monetary achieve, and doubtlessly promoting or sharing entry with different menace actors, underlining the chance to authorized and different excessive\u2011worth targets.<\/p>\n
Mitigations<\/strong><\/h2>\n
Insikt Group advises defenders to aggressively block IP addresses and domains tied to NetSupport RAT, Stealc, SectopRAT, and different instruments utilized in GrayCharlie operations, and to deal with visitors to recognized\u2011compromised WordPress websites as excessive\u2011threat till remediated. <\/p>\n
The web page presents a pretend CAPTCHA that quietly copies a malicious command to the person\u2019s clipboard and instructs them to stick it into the Home windows Run dialog (Win+R).<\/p>\n
\n
$\"Fake$
*Faux Captcha<\/em> (Supply : Insikt Group). <\/figcaption><\/figure>\n<\/div>\n*Safety groups ought to deploy up to date YARA<\/a>, Snort, and Sigma guidelines to detect NetSupport parts, ClickFix\u2011model instructions, and GrayCharlie\u2019s JavaScript and PowerShell loader patterns, together with in historic logs. <\/p>\n
Further beneficial controls embody tightening e-mail and net filtering, monitoring for suspicious information exfiltration to recognized malicious infrastructure, and constantly ingesting new GrayCharlie menace intelligence sources to maintain detection and blocking insurance policies present.<\/p>\n
**Observe us on\u00a0**Google Information<\/a>,\u00a0 LinkedIn<\/a>, and\u00a0 X<\/a>\u00a0to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in\u00a0 Google<\/a>.<\/strong><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"
GrayCharlie is abusing compromised WordPress websites to silently load malicious JavaScript that pushes NetSupport RAT, typically adopted by Stealc and SectopRAT, through pretend browser updates and ClickFix lures. Insikt Group tracks GrayCharlie as a financially motivated menace actor overlapping with SmartApeSG, lively since mid\u20112023, and specializing in turning authentic WordPress websites into malware-delivery factors. The […]<\/p>\n","protected":false},"author":2,"featured_media":12087,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[7957,1497,216,6092,1538,1900,7958,7959,3852],"class_list":["post-12085","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-graycharlie","tag-hacks","tag-malware","tag-netsupport","tag-rat","tag-sites","tag-spreads","tag-stealc","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12085","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12085"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12085\/revisions"}],"predecessor-version":[{"id":12086,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12085\/revisions\/12086"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/12087"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}