TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Recorded Future Blog

GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack

2026-02-18 · Read original ↗

ATT&CK techniques detected

28 predictions
T1059.001PowerShell
99%
“##y ( '! cf0joaxml! ', '! wfheyhkmz! ' ) " figure 8 : powershell command ( source : cybereason ) netsupport rat launch and persistence. the batch file starts client32. exe and sets a run registry key to automatically relaunch the netsupport rat client at startup, establishing per…”
T1071.001Web Protocols
98%
“##d3109f63881b9bcc87c72e9de78 sectoprat c2 ip address : 85 [. ] 158 [. ] 110 [. ] 179 [ : ] 15847 other hashes : 5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428 email address linked to graycharlie : oreshnik [ @ ] mailum [. ] com”
T1204.002Malicious File
97%
“technique, insikt group observed a return to fake browser updates as early as october 12, 2025. figure 5 provides an overview of attack chain 1. figure 5 : attack chain 1 ( source : recorded future ) website compromise and lure delivery. threat actors modify legitimate sites to l…”
T1204.004Malicious Copy and Paste
91%
“links on gaming sites direct users to compromised wordpress pages that embed attacker javascript. background script and profiling. a background script loads when the site is visited, injects an iframe, and profiles the environment ( such as the operating system and browser ) to d…”
T1584.001Domains
82%
“graycharlie hijacks law firm sites in suspected supply - chain attack executive summary insikt group has been monitoring graycharlie, a threat actor overlapping with smartapesg and active since mid - 2023, for some time, and is now publishing its first report on the group. graych…”
T1071.001Web Protocols
79%
“[. ] 191 [. ] 168 194 [. ] 180 [. ] 191 [. ] 171 194 [. ] 180 [. ] 191 [. ] 189 cluster 2 netsupport rat c2 ip addresses : 5 [. ] 181 [. ] 159 [. ] 9 5 [. ] 181 [. ] 159 [. ] 38 5 [. ] 181 [. ] 159 [. ] 112 5 [. ] 181 [. ] 159 [. ] 139 5 [. ] 181 [. ] 159 [. ] 140 5 [. ] 181 [. ]…”
T1071.001Web Protocols
78%
“##303008 5 [. ] 181 [. ] 159 [. ] 38 sssi2 xmlctl nsm303008 5 [. ] 181 [. ] 159 [. ] 140 ssssi6 xmlctl nsm303008 5 [. ] 181 [. ] 159 [. ] 143 ssssi8 xmlctl nsm303008 5 [. ] 181 [. ] 159 [. ] 142 sssssi7 xmlctl nsm303008 5 [. ] 181 [. ] 159 [. ] 139 ssssi5 xmlctl nsm303008 table 2…”
T1059.001PowerShell
74%
“technique, insikt group observed a return to fake browser updates as early as october 12, 2025. figure 5 provides an overview of attack chain 1. figure 5 : attack chain 1 ( source : recorded future ) website compromise and lure delivery. threat actors modify legitimate sites to l…”
T1564.004NTFS File Attributes
58%
“##8b3b472a4bc85 a0332fe0baa316fe793e757f9cf5938b099e97dc4624ead6f3bad8555c8a419b a1482e62ecc89696a75adea7052c2e98a75c9d37304723abd110d60962bafdb7 a28d0c82a2a37462c2975b5eda7f91e8fc3c2ed50abfe357948ec4faabbd4951 a6637685091835826e62af279cc6c648188797f9edc05a2399a6686349102774 a6f1…”
T1204.002Malicious File
52%
“links on gaming sites direct users to compromised wordpress pages that embed attacker javascript. background script and profiling. a background script loads when the site is visited, injects an iframe, and profiles the environment ( such as the operating system and browser ) to d…”
T1566.001Spearphishing Attachment
52%
“##b4c89 cc6ad344d30178e04e49ab16cd43744925676562aded051835fb3f73401f31fa ceab18331f785d0bf215f551b90f00567e36d339ba8e3ed8e45c0ad410b25808 d02a1eb597c66b602ac7d55095f771345ff5e90905ea12e523df2095030752b6 d6142f48664208710bab9fcab8dfcda66ad75ad756d2ce9c3aa243dcbc29bf4a d665a8547baf…”
T1588.001Malware
51%
“or early april 2025, smartapesg shifted from using fake browser updates to deploying clickfix lures, mirroring a broader trend among threat actors of increasingly adopting clickfix. graycharlie predominantly delivers netsupport rat ; however, deployments of stealc and, more recen…”
T1059.001PowerShell
49%
“links on gaming sites direct users to compromised wordpress pages that embed attacker javascript. background script and profiling. a background script loads when the site is visited, injects an iframe, and profiles the environment ( such as the operating system and browser ) to d…”
T1059.001PowerShell
45%
“443 linked to graycharlie within a controlled environment. later that day, approximately three hours later, the threat actor connected using netsupport rat, compressed and moved two files, and then executed group and account reconnaissance commands. the same actor returned three …”
T1021.002SMB/Windows Admin Shares
44%
“the external javascript hosted at hxxps : / / persistancejs [. ] store / work / original [. ] js ( see table 6 ). insikt group assesses that graycharlie ( or the third party graycharlie works with ) likely compromised these websites through a supply - chain vector. one potential …”
T1071.001Web Protocols
44%
“##vocloud, the group ’ s core behaviors have remained consistent. given its sustained activity, graycharlie is highly likely to remain active and continue targeting organizations worldwide, with a current emphasis on us entities, as indicated by recorded future network intelligen…”
T1584.004Server
42%
“graycharlie hijacks law firm sites in suspected supply - chain attack executive summary insikt group has been monitoring graycharlie, a threat actor overlapping with smartapesg and active since mid - 2023, for some time, and is now publishing its first report on the group. graych…”
T1195.001Compromise Software Dependencies and Development Tools
42%
“an id parameter ( such as hxxps : / / signaturepl [. ] com / work / index [. ] php? abje2law ). notably, these urls are updated over time by the threat actor, complicating detection and indicating the threat actor maintains ongoing access to a large pool of compromised wordpress …”
T1071.001Web Protocols
40%
“the certificate with the common name june6 linked to 94 [. ] 158 [. ] 245 [. ] 174 was created only 20 seconds later. cluster 2 cluster 2 comprises netsupport rat command - and - control servers whose tls certificates typically start with two or more repetitions of “ s ”, followe…”
T1071.001Web Protocols
39%
“[. ] 252 [. ] 178 [. ] 35 94 [. ] 158 [. ] 245 [. ] 153 94 [. ] 158 [. ] 245 [. ] 170 185 [. ] 163 [. ] 45 [. ] 16 194 [. ] 180 [. ] 191 [. ] 18 194 [. ] 180 [. ] 191 [. ] 121 194 [. ] 180 [. ] 191 [. ] 209 netsupport rat hashes : 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc…”
T1204.002Malicious File
39%
“port 443. overall, insikt group assesses that graycharlie relies extensively on proxy services to administer its infrastructure. additionally, based on presumed browsing activity from higher - tier servers, at least some individuals linked to graycharlie are assessed to be russia…”
T1566.002Spearphishing Link
36%
“november 2025, possibly through a supply - chain compromise involving a shared it provider. to protect against graycharlie, security defenders should block ip addresses and domains tied to associated remote access trojans ( rats ) and infostealers, flag and potentially block conn…”
T1055.012Process Hollowing
36%
“d8d2092e174240d7bac63a9e1c199b442e1cb0f39d7fa32510b1aa7717c3ae38 e24de02415946133176b66017d54a5dcd7270c83f5ef01d79faff4e64d13c63b e5502722c2bb84876903549445534c47cdaa586a0bb1e5b3a53162d75cc6cb28 e66ae0ac443b5140a1b35b5aaa6899eea296d9d633988eb044a395a34a887431 e92e01977d85f6834f57…”
T1189Drive-by Compromise
34%
“this includes netsupport rat command - and - control ( c2 ) servers, staging infrastructure made up of both actor - controlled and compromised infrastructure, as well as components of graycharlie ’ s higher - tier infrastructure used to manage its operations. insikt group identif…”
T1566.001Spearphishing Attachment
34%
“158 [. ] 245 [. ] 115 94 [. ] 158 [. ] 245 [. ] 118 94 [. ] 158 [. ] 245 [. ] 131 94 [. ] 158 [. ] 245 [. ] 135 94 [. ] 158 [. ] 245 [. ] 137 94 [. ] 158 [. ] 245 [. ] 140 94 [. ] 158 [. ] 245 [. ] 174 185 [. ] 163 [. ] 45 [. ] 30 185 [. ] 163 [. ] 45 [. ] 41 185 [. ] 163 [. ] 45…”
T1055.012Process Hollowing
33%
“##d4977d4f240dcabd5cd67b936c0095c2d5b9a77896daea877df6 5eebdb584a1acd6aacc36c59c22ec51bbd077d2dbbe0890b52e62fa6fb9cf784 5ff742e134e3d17ec7abea435f718e8f5603b95e7984e024b2310ac9ef862ddf 60ff43424c0ba9dc259ab32405345ef325a4cb4d0baf0c0b0c13f9d3672e99eb 68c6411cc9afa68047641932530cf7…”
T1195.002Compromise Software Supply Chain
32%
“november 2025, possibly through a supply - chain compromise involving a shared it provider. to protect against graycharlie, security defenders should block ip addresses and domains tied to associated remote access trojans ( rats ) and infostealers, flag and potentially block conn…”
T1204.001Malicious Link
31%
“links on gaming sites direct users to compromised wordpress pages that embed attacker javascript. background script and profiling. a background script loads when the site is visited, injects an iframe, and profiles the environment ( such as the operating system and browser ) to d…”

Summary

GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and SectopRAT.