A sophisticated threat actor, identified as GrayCharlie, has been actively compromising WordPress websites since mid-2023, subtly injecting malicious JavaScript to distribute malware to unsuspecting visitors. This group, which shows overlap with the previously tracked SmartApeSG cluster (also known as ZPHP or HANEMONEY), primarily leverages the NetSupport RAT, a potent remote access trojan that grants attackers extensive control over infected systems. The expanding arsenal of GrayCharlie now includes Stealc, an information-stealing malware, and more recently, SectopRAT, further broadening the types of sensitive data attackers can exfiltrate.
GrayCharlie’s modus operandi involves the discreet insertion of a script tag into the Document Object Model (DOM) of compromised, legitimate WordPress sites. This tag directs browsers to an external JavaScript file hosted on servers controlled by the attackers. Upon visiting a compromised page, the script meticulously profiles the user’s browser and operating system. Based on this profile, it then presents the visitor with a deceptive payload, typically either a convincing fake browser update or a ClickFix-style fake CAPTCHA designed to trick users into unknowingly installing or executing malware.
GrayCharlie’s Technical Infrastructure and Operations
Analysis by Recorded Future indicates that GrayCharlie’s backend infrastructure is predominantly linked to hosting providers MivoCloud and HZ Hosting Ltd. Researchers have identified two primary clusters of NetSupport RAT Command and Control (C2) servers. These clusters are distinguishable by unique TLS certificate naming patterns, license keys, and serial numbers, and have been consistently deployed throughout 2025. The threat actor manages these C2 servers over TCP port 443 and employs SSH for managing staging servers, a technique likely used to obscure malicious traffic as legitimate.
Observations of browsing patterns from higher-tier infrastructure suggest that at least some members of the GrayCharlie group may be Russian-speaking. The group’s malicious activities span a wide range of industries globally, with the United States being the most frequent target. Notably, researchers discovered that at least fifteen U.S. law firm websites were injected with identical malicious JavaScript, all pointing to the same attacker-controlled domain. This suggests a targeted campaign against legal entities.
Evidence points towards these law firms being compromised through a supply-chain attack involving SMB Team, an IT services company that provides services to numerous law firms across North America. Stolen credentials associated with an SMB Team email address were discovered surfacing around the same time the malicious domain first became active, corroborating this suspected attack vector. This highlights the critical importance of securing indirect supply chains by vendors and their clients.
How GrayCharlie Infects Systems
The infection process initiated by GrayCharlie follows two primary attack chains. In the first chain, once a victim executes the fake browser update JavaScript, the system’s WScript utility spawns PowerShell. This PowerShell instance then downloads and extracts a complete NetSupport RAT client into the user’s AppData folder, effectively establishing a foothold on the compromised system. This method relies on social engineering to trick the user into performing the initial malicious action.
The second attack chain, involving the ClickFix fake CAPTCHA, operates similarly, albeit with a user-initiated command. The victim is prompted to paste an attacker-planted command. Executing this command retrieves a batch file that installs the RAT and establishes persistence by writing a Registry Run key. This ensures that the malware automatically launches on every system reboot, maintaining its presence.
Once established, GrayCharlie operators can connect to the compromised systems via C2, conduct system reconnaissance to gather further information, and potentially deploy SectopRAT as a secondary payload. This layered approach allows attackers to escalate their access and capabilities on the victim’s machine, potentially leading to more significant data theft or system compromise.
Mitigation and Detection Recommendations
To mitigate the threat posed by GrayCharlie, security teams are advised to implement several proactive measures. Blocking known GrayCharlie IP addresses and domains at the network perimeter is a fundamental step. Additionally, deploying YARA, Snort, and Sigma detection rules within Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) platforms can aid in identifying and alerting on malicious activity. Continuous monitoring of WordPress sites for unauthorized DOM script injections is crucial for early detection of compromises.
The ongoing activity of GrayCharlie underscores the persistent threat to WordPress websites and the broader digital ecosystem. The group’s evolving tactics and tools, including the deployment of multiple RATs and information stealers, demonstrate a determined and adaptable threat actor. Organizations relying on WordPress platforms should remain vigilant and ensure their security postures are robust and up-to-date to defend against such sophisticated attacks. The continuous evolution of threat landscapes necessitates a layered security approach and ongoing security awareness training for users.