{ "id": "69682a73-2fdf-4f00-8b5c-b02fa86cfed7", "created_at": "2026-04-06T00:06:09.340673Z", "updated_at": "2026-04-10T03:35:52.937954Z", "deleted_at": null, "sha1_hash": "4c92ec27cabd70f496bfc1ea21b7b85dd24ba9bc", "title": "GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58114, "plain_text": "GrayAlpha Unmasked: New FIN7-Linked Infrastructure,\r\nPowerNet Loader, and Fake Update Attacks\r\nBy Insikt Group®\r\nArchived: 2026-04-05 13:12:07 UTC\r\nExecutive Summary\r\nInsikt Group identified new infrastructure associated with GrayAlpha, a threat actor that overlaps with the\r\nfinancially motivated group commonly referred to as FIN7. This newly identified infrastructure includes domains\r\nused for payload distribution and additional IP addresses believed to be tied to GrayAlpha. Insikt Group\r\ndiscovered a custom PowerShell loader named PowerNet, which decompresses and executes NetSupport RAT.\r\nInsikt Group identified another custom loader, referred to as MaskBat, that has similarities to FakeBat but is\r\nobfuscated and contains strings linked to GrayAlpha. Overall, Insikt Group found three primary infection\r\nmethods: fake browser update pages, fake 7-Zip download sites, and the traffic distribution system (TDS) TAG-124. Notably, the use of TAG-124 had not been publicly documented prior to this report. Although all three\r\ninfection vectors were observed being used simultaneously, only the fake 7-Zip download pages were still active\r\nat the time of writing, with newly registered domains appearing as recently as April 2025. Further analysis of\r\nthese sites led to the identification of an individual who may be involved in the GrayAlpha operation.\r\nIn the near term, defenders are advised to enforce application allow-lists to block the download of seemingly\r\nlegitimate files that contain malware. Where allow-lists are not practical, comprehensive employee security\r\ntraining becomes essential, particularly in recognizing suspicious behaviors such as unexpected prompts for\r\nbrowser updates or redirects caused by malvertising. Additionally, the use of detection rules, such as the YARA\r\nrules and Malware Intelligence Hunting queries provided in this report, is critical for identifying both existing and\r\npast infections. These rules should be updated frequently and supported with broader detection techniques,\r\nincluding monitoring of network artifacts and using Recorded Future Network Intelligence, due to the constantly\r\nevolving nature of malware.\r\nLooking ahead, defenders must monitor the broader cybercriminal ecosystem to anticipate and respond to\r\nemerging threats more effectively. The continued professionalization of cybercrime increases the likelihood of\r\norganizations across multiple industries being targeted. This trend is driven by the sustained profitability of\r\ncybercrime, limited international law enforcement collaboration, and the continuous evolution of security\r\ntechnologies, which in turn drive innovation among threat actors. While advanced persistent threat (APT) activity\r\nis often linked to state-sponsored entities, GrayAlpha illustrates that cybercriminal groups can demonstrate a\r\nsimilar level of persistence. Much like the ransomware-as-a-service (RaaS) model, cybercriminals are becoming\r\nhttps://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat\r\nPage 1 of 4\n\nincreasingly specialized and collaborative, making it imperative to adopt a comprehensive and adaptive security\r\nposture.\r\nKey Findings\r\nInsikt Group has identified new infrastructure linked to GrayAlpha — a threat actor overlapping with the\r\ngroup commonly known as FIN7 — including domains utilized for payload distribution and additional IP\r\naddresses believed to be part of the threat actor's infrastructure.\r\nInsikt Group has identified a new custom PowerShell loader dubbed PowerNet that decompresses and\r\nexecutes NetSupport RAT.\r\nInsikt Group identified another custom loader, referred to as MaskBat, which has similarities to FakeBat\r\nbut is obfuscated and contains strings linked to GrayAlpha.\r\nInsikt Group identified three main infection vectors associated with GrayAlpha: fake browser update\r\npages, fake 7-Zip download sites, and the TDS TAG-124 network. Notably, the use of the TDS TAG-124\r\ndelivery mechanism had not been publicly documented prior to this report.\r\nWhile all three infection methods were employed simultaneously, only the fake 7-Zip download pages\r\nappear to remain active at the time of writing, with the most recent domains surfacing as recently as April\r\n2025.\r\nThrough the analysis of the 7-Zip pages, Insikt Group identified an individual who may be connected to the\r\nGrayAlpha operation.\r\nBackground\r\nGrayAlpha is a threat actor cluster that overlaps with the financially motivated cybercriminal group commonly\r\nknown as FIN7, sharing key infrastructure, tooling, and tradecraft.\r\nFIN7 has been active since at least 2013 and is considered one of the most prolific and technically sophisticated\r\ncybercriminal groups targeting organizations worldwide. The group is organized like a professional business, with\r\ncompartmentalized teams handling malware development, phishing operations, money laundering, and\r\nmanagement. FIN7 is primarily known for financially motivated campaigns involving the theft of payment card\r\ndata and unauthorized access to corporate networks, particularly within the retail, hospitality, and financial sectors.\r\nIn 2018, the US Department of Justice (US DOJ) unsealed indictments against three high-ranking FIN7 members\r\n— Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov — highlighting the group’s extensive operations against\r\nbusinesses across 47 US states and multiple countries. Operating under the name of a sham cybersecurity firm,\r\n“Combi Security,” FIN7 leveraged social engineering and customized malware, including variants of Carbanak,\r\nthe group’s in-house developed backdoor, to compromise thousands of point-of-sale systems and exfiltrate over 15\r\nmillion payment card records. The US DOJ prosecutions revealed the group’s hierarchical command structure,\r\nwith members fulfilling defined roles in intrusion operations, malware administration, and logistical coordination.\r\nDespite the disruption to its leadership, FIN7’s underlying infrastructure and tradecraft persisted, enabling the\r\nbroader criminal enterprise to continue targeting global organizations.\r\nFIN7 uses a range of custom and repurposed malware and tooling to support its operations. The group typically\r\ngains initial access through spearphishing emails containing malicious attachments or links hosted on\r\nhttps://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat\r\nPage 2 of 4\n\ncompromised sites, often combined with callback phishing to increase credibility. FIN7’s early operations\r\nleveraged its then-proprietary Carbanak backdoor as the primary command-and-control framework, enabling the\r\ngroup to manage compromised hosts and coordinate post-compromise activity. POWERTRASH — a uniquely\r\nobfuscated, PowerShell-based, in-memory loader adapted from the PowerSploit framework — has also been a\r\nconsistent feature of FIN7 intrusions, used to deploy payloads such as DiceLoader and cracked Core Impact\r\nimplants to support exploitation, lateral movement, and persistence. FIN7 also developed AuKill (also known as\r\nAvNeutralizer), a custom EDR evasion utility designed to disable endpoint security solutions, which was later\r\nreported to have been offered for sale by the group on criminal marketplaces. In its most recent campaigns, FIN7\r\nhas been observed deploying the Python-based Anubis backdoor, which provides full system control via in-memory execution and communicates with its command-and-control infrastructure using Base64-encoded data.\r\nIn 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS\r\ngroups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside\r\nand BlackMatter. More recently, FIN7 has been observed leveraging NetSupport RAT embedded within malicious\r\nMSIX application packages, delivered via fake update sites and malvertising.\r\nThreat Analysis\r\nInfection Vectors\r\nOver the past year, Insikt Group has identified three distinct infection vectors associated with GrayAlpha,\r\nobserved during overlapping timeframes, and all ultimately resulting in NetSupport RAT infections. These vectors\r\ninclude:\r\nInfection Vector 1: Fake software updates impersonating legitimate products such as Concur\r\nInfection Vector 2: Malicious 7-Zip download pages\r\nInfection Vector 3: Use of the TAG-124 TDS\r\nIn these campaigns, GrayAlpha employed two primary types of PowerShell loaders: a self-contained custom script\r\nknown as PowerNet, and a dynamic loader — a customized variant of FakeBat — referred to as MaskBat (see\r\nFigure 1).\r\nInfection Vector 1: Fake Browser Updates\r\nInfrastructure Analysis\r\nSince at least April 2024, GrayAlpha has been observed leveraging fake browser update websites as part of its\r\noperations. These sites impersonate a range of legitimate products and services, including Google Meet,\r\nLexisNexis, Asana, AIMP, SAP Concur, CNN, the Wall Street Journal, and Advanced IP Scanner, among others.\r\nTable 1 provides a list of domains associated with Infection Vector 1 that were still resolving as of 2025.\r\nHowever, it is important to note that active domain resolution does not necessarily indicate ongoing use by threat\r\nactors; in fact, the most recently observed domain began resolving in September 2024. A comprehensive list of all\r\ndomains linked to Infection Vector 1 — including those that did not resolve at any point in 2025 — can be found\r\nin Appendix A.\r\nhttps://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat\r\nPage 3 of 4\n\nSource: https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat\r\nhttps://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat" ], "report_names": [ "grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4390d8ec-605d-493a-81ee-d5ef80c07046", "created_at": "2025-05-29T02:00:03.223467Z", "updated_at": "2026-04-10T02:00:03.873701Z", "deleted_at": null, "main_name": "TAG-124", "aliases": [ "LandUpdate808" ], "source_name": "MISPGALAXY:TAG-124", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433969, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c92ec27cabd70f496bfc1ea21b7b85dd24ba9bc.pdf", "text": "https://archive.orkl.eu/4c92ec27cabd70f496bfc1ea21b7b85dd24ba9bc.txt", "img": "https://archive.orkl.eu/4c92ec27cabd70f496bfc1ea21b7b85dd24ba9bc.jpg" } }