Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
GrayCharlie Targets WordPress Sites with Malicious Scripts

GrayCharlie Targets WordPress Sites with Malicious Scripts

Posted on February 23, 2026 By CWS

GrayCharlie Exploits WordPress Sites

Since mid-2023, a cybercriminal group identified as GrayCharlie has been targeting WordPress sites by embedding harmful JavaScript, aiming to infect users’ systems with malware. This group’s activities overlap with the SmartApeSG cluster, also known by aliases such as ZPHP or HANEMONEY. Their primary weapon is the NetSupport RAT, a remote access trojan that provides attackers with full control over compromised devices.

Malware Tactics and Deployment

In addition to the NetSupport RAT, GrayCharlie has expanded its arsenal to include Stealc, a tool for stealing sensitive information, and more recently, SectopRAT, which broadens their capability to extract data from infiltrated systems. The group’s core strategy involves inserting a script tag into the Document Object Model (DOM) of legitimate, yet compromised, WordPress sites.

The malicious tag directs to a JavaScript file located on a server controlled by the attackers. Upon visiting the infected site, users inadvertently execute the script, which assesses their browser and operating system before deciding on the next course of action. This can lead to users being tricked into installing malware through fake browser updates or deceptive CAPTCHA prompts.

Infrastructure and Global Reach

According to Recorded Future analysts, GrayCharlie’s backend infrastructure largely relies on services from MivoCloud and HZ Hosting Ltd. The researchers have tracked two distinct clusters of NetSupport RAT command-and-control (C2) servers, each characterized by unique TLS certificate naming conventions, license keys, and serial numbers, which were deployed consistently in 2025.

GrayCharlie manages these C2 servers via TCP port 443 and leverages SSH for staging server management, camouflaging its activities as normal traffic. Analysis suggests some members of the group may be Russian-speaking, based on higher-tier browsing patterns.

Impact on Industries and Mitigation Strategies

GrayCharlie’s attacks have affected numerous industries worldwide, with the United States experiencing the most frequent breaches. Research uncovered that at least fifteen American law firm websites were compromised, all displaying identical malicious JavaScript linked to the attackers’ domain. These breaches appear to have been facilitated through a supply-chain attack involving the SMB Team, a company providing IT services to many North American law firms.

The infection process involves an initial JavaScript prompt that, once executed, uses WScript to launch PowerShell, which then downloads and installs a full NetSupport RAT client in the user’s AppData folder. Similarly, the ClickFix method involves users executing a command that retrieves a batch file to install the RAT and ensures persistence by writing a Registry Run key.

To mitigate exposure, organizations should block known IP addresses and domains linked to GrayCharlie, implement YARA, Snort, and Sigma rules in SIEM or EDR platforms, and regularly inspect WordPress sites for unauthorized script injections in the DOM.

Cyber Security News Tags:C2 servers, Cybersecurity, GrayCharlie, JavaScript injection, Malware, NetSupport RAT, Russian-speaking hackers, SectopRAT, Stealc malware, WordPress security

Post navigation

Previous Post: Starkiller Phishing Tool Bypasses MFA with Real Login Pages
Next Post: APT28’s Webhook Malware Targets Europe

Related Posts

Warlock Ransomware Exploiting SharePoint Vulnerabilities to Gain Access and Steal Credentials Warlock Ransomware Exploiting SharePoint Vulnerabilities to Gain Access and Steal Credentials Cyber Security News
Threat Actors Manipulating LLMs for Automated Vulnerability Exploitation Threat Actors Manipulating LLMs for Automated Vulnerability Exploitation Cyber Security News
Ransomware Threats Rise in Aviation and Aerospace Ransomware Threats Rise in Aviation and Aerospace Cyber Security News
Lenovo IdeaCentre and Yoga Laptop BIOS Vulnerabilities Execute Arbitrary Code Lenovo IdeaCentre and Yoga Laptop BIOS Vulnerabilities Execute Arbitrary Code Cyber Security News
New ClickFix Campaign Hijacks Facebook Sessions Using Fake Verification Pages New ClickFix Campaign Hijacks Facebook Sessions Using Fake Verification Pages Cyber Security News
76 Zero-day Vulnerabilities Uncovered by Hackers on Pwn2Own Automotive 2026 76 Zero-day Vulnerabilities Uncovered by Hackers on Pwn2Own Automotive 2026 Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Entra Passkey Enrollment Exploited by Hackers
  • RedHook Malware Exploits ADB Debugging for Control
  • ACSC Raises Alarm on CMS Exploitation Threat
  • GodDamn Ransomware Uses PoisonX to Evade Security
  • Critical Roundcube XSS Flaws Require Immediate Update

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Entra Passkey Enrollment Exploited by Hackers
  • RedHook Malware Exploits ADB Debugging for Control
  • ACSC Raises Alarm on CMS Exploitation Threat
  • GodDamn Ransomware Uses PoisonX to Evade Security
  • Critical Roundcube XSS Flaws Require Immediate Update

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark