Skip to main content
Mallory
Back to threat actors
3 malware families

GrayCharlie

Also known asgraycharlie

GrayCharlie is a financially motivated threat actor active since mid-2023 that compromises WordPress websites and injects malicious, externally hosted JavaScript to profile visitors and redirect them to malware delivery lures. The actor overlaps with the previously tracked SmartApeSG cluster, also referred to as ZPHP or HANEYMANEY/HANEMONEY. Operations observed include a supply-chain-style campaign impacting U.S. law firms: at least fifteen law firm WordPress sites were injected with identical JavaScript pointing to the same attacker-controlled domain, and reporting assessed the compromises may have occurred via a shared IT/marketing provider—specifically a suspected supply-chain vector involving SMB Team (an IT services/law-firm acceleration provider) and/or a shared WordPress/plugin stack. GrayCharlie’s infection chains rely on social engineering via fake browser update pages (mimicking Chrome/Edge/Firefox) and ClickFix-style fake CAPTCHA prompts that instruct users to execute attacker-provided commands (e.g., via the Windows Run dialog). Delivery tradecraft described includes WScript spawning PowerShell to download and extract a NetSupport RAT client into %AppData%, and a ClickFix chain that retrieves a batch file, installs the RAT, and establishes persistence via a Registry Run key. Primary payloading centers on NetSupport RAT for interactive access, surveillance, and file operations, with follow-on delivery of additional malware including the Stealc infostealer and (more rarely) SectopRAT (including observed DLL sideloading). Infrastructure analysis attributed much of GrayCharlie’s supporting ecosystem (NetSupport RAT C2 and staging) to MivoCloud and HZ Hosting Ltd (AS202015). Two main NetSupport RAT C2 clusters were reported, differentiated by TLS certificate naming patterns and NetSupport license/serial identifiers; C2 management commonly used TCP/443, with higher-tier administration infrastructure accessed mainly over SSH. Some higher-tier activity suggested at least some operators are Russian-speaking. The United States was reported as the most frequent target, though activity spans multiple industries globally.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics29 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1189×5
Drive-by Compromise
T1195×3
Supply Chain Compromise
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001×3
PowerShell
T1059.005×2
Visual Basic
T1059.007×2
JavaScript
T1204×2
User Execution
T1204.002×2
Malicious File
TA0003
Persistence
2 techniques
T1505
Server Software Component
T1505.003
Web Shell
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
1 technique
T1218
System Binary Proxy Execution
TA0006
Credential Access
1 technique
T1056
Input Capture
TA0007
Discovery
2 techniques
T1069
Permission Groups Discovery
T1069.002
Domain Groups
T1082
System Information Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.004×2
SSH
TA0009
Collection
2 techniques
T1056
Input Capture
T1560
Archive Collected Data
T1560.001
Archive via Utility
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090
Proxy
T1105×3
Ingress Tool Transfer
T1219
Remote Access Tools
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
NetSupport RATGrayCharlie ... redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.4Mar 8, 2026
SectopRATOperators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.4Mar 8, 2026
StealCThese infections often progress to the deployment of Stealc and SectopRAT.4Mar 8, 2026
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
checkpoint research blogNews
Mar 2, 2026
2nd March - Threat Intelligence Report - Check Point Research

Compromise of WordPress sites via injected external JavaScript for visitor profiling and malware delivery, using fake update lures/ClickFix-style prompts; infections linked to NetSupport tooling followed by Stealc and SectopRAT.

Read more
scworldNews
Feb 25, 2026
Hacked US law firm sites tapped to spread various malware | SC Media

Financially motivated supply-chain style campaign leveraging compromised WordPress sites of U.S. law firms (likely via a shared IT/marketing provider) to inject malicious JavaScript that redirects victims to fake browser updates or fake CAPTCHAs, coercing execution of a PowerShell command via the Windows Run dialog to install NetSupport RAT; subsequently used for surveillance/file operations and to deliver Stealc infostealer and SectopRAT.

Read more
cyber security newsNews
Feb 23, 2026
GrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc - Cyber Security News

Compromises WordPress sites to inject malicious JavaScript that profiles visitors and delivers social-engineering lures (fake browser updates and ClickFix-style fake CAPTCHAs) to get users to execute payloads, primarily deploying NetSupport RAT and additional stealers/RATs. Activity includes supply-chain compromise of an IT services provider to reach multiple US law firms.

Read more
risky biz rssNews
Feb 20, 2026
Risky Bulletin: RPKI infrastructure sits on shaky ground

Compromises WordPress sites to redirect traffic to fake browser-update pages to deliver remote access trojans (RATs).

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

GrayCharlie | Mallory