GrayCharlie Exploits WordPress Sites
Since mid-2023, a cybercriminal group identified as GrayCharlie has been targeting WordPress sites by embedding harmful JavaScript, aiming to infect users’ systems with malware. This group’s activities overlap with the SmartApeSG cluster, also known by aliases such as ZPHP or HANEMONEY. Their primary weapon is the NetSupport RAT, a remote access trojan that provides attackers with full control over compromised devices.
Malware Tactics and Deployment
In addition to the NetSupport RAT, GrayCharlie has expanded its arsenal to include Stealc, a tool for stealing sensitive information, and more recently, SectopRAT, which broadens their capability to extract data from infiltrated systems. The group’s core strategy involves inserting a script tag into the Document Object Model (DOM) of legitimate, yet compromised, WordPress sites.
The malicious tag directs to a JavaScript file located on a server controlled by the attackers. Upon visiting the infected site, users inadvertently execute the script, which assesses their browser and operating system before deciding on the next course of action. This can lead to users being tricked into installing malware through fake browser updates or deceptive CAPTCHA prompts.
Infrastructure and Global Reach
According to Recorded Future analysts, GrayCharlie’s backend infrastructure largely relies on services from MivoCloud and HZ Hosting Ltd. The researchers have tracked two distinct clusters of NetSupport RAT command-and-control (C2) servers, each characterized by unique TLS certificate naming conventions, license keys, and serial numbers, which were deployed consistently in 2025.
GrayCharlie manages these C2 servers via TCP port 443 and leverages SSH for staging server management, camouflaging its activities as normal traffic. Analysis suggests some members of the group may be Russian-speaking, based on higher-tier browsing patterns.
Impact on Industries and Mitigation Strategies
GrayCharlie’s attacks have affected numerous industries worldwide, with the United States experiencing the most frequent breaches. Research uncovered that at least fifteen American law firm websites were compromised, all displaying identical malicious JavaScript linked to the attackers’ domain. These breaches appear to have been facilitated through a supply-chain attack involving the SMB Team, a company providing IT services to many North American law firms.
The infection process involves an initial JavaScript prompt that, once executed, uses WScript to launch PowerShell, which then downloads and installs a full NetSupport RAT client in the user’s AppData folder. Similarly, the ClickFix method involves users executing a command that retrieves a batch file to install the RAT and ensures persistence by writing a Registry Run key.
To mitigate exposure, organizations should block known IP addresses and domains linked to GrayCharlie, implement YARA, Snort, and Sigma rules in SIEM or EDR platforms, and regularly inspect WordPress sites for unauthorized script injections in the DOM.
