GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack

Insikt Group has identified GrayCharlie, a threat actor overlapping with SmartApeSG/ZPHP/HANEYMANEY, active since mid-2023, conducting widespread compromises of WordPress sites to deploy malware. The group injects malicious JavaScript into compromised sites, redirecting visitors to fake browser update pages or ClickFix lures that deliver NetSupport RAT. Infections can escalate to include Stealc and SectopRAT infostealers. Infrastructure analysis reveals heavy reliance on MivoCloud and HZ Hosting Ltd. A concerning cluster of US law firm sites was identified, potentially compromised through a shared IT provider in November 2025, suggesting supply-chain targeting. GrayCharlie's objectives appear focused on data theft and financial gain. Defenders should block associated IPs/domains, deploy detection rules (YARA, Snort, Sigma), implement email filtering, and monitor for data exfiltration.

GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and SectopRAT.

Insikt Group has identified GrayCharlie, a threat actor overlapping with SmartApeSG/ZPHP/HANEYMANEY, active since mid-2023, conducting widespread compromises of WordPress sites to deploy malware. The group injects malicious JavaScript into compromised sites, redirecting visitors to fake browser update pages or ClickFix lures that deliver NetSupport RAT. Infections can escalate to include Stealc and SectopRAT infostealers. Infrastructure analysis reveals heavy reliance on MivoCloud and HZ Hosting Ltd. A concerning cluster of US law firm sites was identified, potentially compromised through a shared IT provider in November 2025, suggesting supply-chain targeting. GrayCharlie's objectives appear focused on data theft and financial gain. Defenders should block associated IPs/domains, deploy detection rules (YARA, Snort, Sigma), implement email filtering, and monitor for data exfiltration. GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and SectopRAT. Executive Summary Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to GrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure used to administer operations. While most compromised websites appear to be opportunistic and span numerous industries, Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider. To protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated remote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section of this report for implementation guidance and Appendix A for a complete list of indicators of compromise (IoCs). Key Findings GrayCharlie, which overlaps with SmartApeSG and first emerged in mid-2023, is a threat actor that injects links to externally hosted JavaScript into compromised WordPress sites. These links redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections. Insikt Group identified a wide range of GrayCharlie infrastructure, largely associated with MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, staging infrastructure made up of both actor-controlled and compromised infrastructure, as well as components of GrayCharlie’s higher-tier infrastructure used to manage its operations. Insikt Group identified two primary attack chains associated with GrayCharlie: one in which victims encounter fake browser update pages after visiting compromised websites, and another in which they are presented with a ClickFix pop-up, a technique that has become increasingly common in 2025. Background GrayCharlie is Insikt Group’s designation for a threat activity group that first appeared in mid-2023 and is behind SmartApeSG, also referred to as ZPHP or HANEYMANEY. The group’s operations typically involve injecting malicious JavaScript into legitimate but compromised WordPress sites. Visitors to these sites are shown convincing, browser-specific fake update prompts (such as for Chrome, Edge, or Firefox) that encourage them to download what appears to be an update but is actually malware. In late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix lures, mirroring a broader trend among threat actors of increasingly adopting ClickFix. GrayCharlie predominantly delivers NetSupport RAT; however, deployments of Stealc and, more recently, SectopRAT, have been observed in rare instances. The group’s ultimate objectives remain uncertain. Current evidence suggests a focus on data theft and financial gain, with a theoretical, but unsubstantiated, possibility that it may sell or transfer access to other threat actors. Threat Analysis Insikt Group has been tracking GrayCharlie for an extended period and has observed the actor’s persistent behavior since its...