{
	"id": "e0677275-aaec-46cd-8f8f-540aaf29aa24",
	"created_at": "2026-04-17T02:20:00.212809Z",
	"updated_at": "2026-04-18T02:21:47.466158Z",
	"deleted_at": null,
	"sha1_hash": "cab2d9730f70a1c2fc1b71dc4d3c58bbcda8ecd6",
	"title": "GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4795064,
	"plain_text": "GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain\r\nAttack\r\nBy Insikt Group®\r\nArchived: 2026-04-17 02:03:58 UTC\r\nExecutive Summary\r\nInsikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress\r\nsites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads\r\ndelivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the\r\ndeployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to\r\nGrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure\r\nused to administer operations. While most compromised websites appear to be opportunistic and span numerous\r\nindustries, Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised\r\naround November 2025, possibly through a supply-chain compromise involving a shared IT provider.\r\nTo protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated\r\nremote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites,\r\nand deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls\r\ninclude implementing email filtering and data exfiltration monitoring. See the Mitigations section of this report\r\nfor implementation guidance and Appendix A for a complete list of indicators of compromise (IoCs).\r\nKey Findings\r\nGrayCharlie, which overlaps with SmartApeSG and first emerged in mid-2023, is a threat actor that injects\r\nlinks to externally hosted JavaScript into compromised WordPress sites. These links redirect victims to\r\nNetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately\r\nresulting in Stealc and SectopRAT infections.\r\nInsikt Group identified a wide range of GrayCharlie infrastructure, largely associated with MivoCloud and\r\nHZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, staging infrastructure\r\nmade up of both actor-controlled and compromised infrastructure, as well as components of GrayCharlie’s\r\nhigher-tier infrastructure used to manage its operations.\r\nInsikt Group identified two primary attack chains associated with GrayCharlie: one in which victims\r\nencounter fake browser update pages after visiting compromised websites, and another in which they are\r\npresented with a ClickFix pop-up, a technique that has become increasingly common in 2025.\r\nBackground\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 1 of 29\n\nGrayCharlie is Insikt Group’s designation for a threat activity group that first appeared in mid-2023 and is behind\r\nSmartApeSG, also referred to as ZPHP or HANEYMANEY. The group’s operations typically involve injecting\r\nmalicious JavaScript into legitimate but compromised WordPress sites. Visitors to these sites are shown\r\nconvincing, browser-specific fake update prompts (such as for Chrome, Edge, or Firefox) that encourage them to\r\ndownload what appears to be an update but is actually malware.\r\nIn late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix\r\nlures, mirroring a broader trend among threat actors of increasingly adopting ClickFix.\r\nGrayCharlie predominantly delivers NetSupport RAT; however, deployments of Stealc and, more recently,\r\nSectopRAT, have been observed in rare instances. The group’s ultimate objectives remain uncertain. Current\r\nevidence suggests a focus on data theft and financial gain, with a theoretical, but unsubstantiated, possibility that it\r\nmay sell or transfer access to other threat actors.\r\nThreat Analysis\r\nInsikt Group has been tracking GrayCharlie for an extended period and has observed the actor’s persistent\r\nbehavior since its emergence in 2023. GrayCharlie continues to conduct the same types of operations, regularly\r\ndeploying large volumes of new infrastructure and adhering to consistent tactics, techniques, and procedures\r\n(TTPs), including continued use of the same infection chains and NetSupport RAT payloads. The group targets\r\norganizations worldwide, with a particular focus on the US. The following sections provide a detailed examination\r\nof GrayCharlie’s operational infrastructure and its two primary attack chains.\r\nInfrastructure Analysis\r\nNetSupport RAT Clusters\r\nInsikt Group identified two main NetSupport RAT clusters linked to GrayCharlie based on factors such as TLS\r\ncertificates, NetSupport serial numbers and license keys, and the timing of the activity (see Figure 1). In addition,\r\nInsikt Group identified a range of other NetSupport RAT C2 servers linked to GrayCharlie activity, but which are\r\nnot currently attributed to either of the two main clusters. Insikt Group assesses that these clusters may correspond\r\neither to different individuals associated with GrayCharlie or to distinct GrayCharlie campaigns. The clusters are\r\nfurther described below.\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 2 of 29\n\nFigure 1: Overview of GrayCharlie clusters observed in 2025 (Source: Recorded Future)\r\nCluster 1\r\nCluster 1 comprises NetSupport RAT C2 servers whose TLS certificates display a recurring monthly naming\r\npattern. All servers in this cluster are hosted by MivoCloud and were deployed between March and August 2025.\r\nNotably, NetSupport RAT samples associated with the cluster’s March and April infrastructure used the license\r\nkey DCVTTTUUEEW23 and serial number NSM896597 , before shifting to the license key EVALUSION and serial\r\nnumber NSM165348 in subsequent deployments. The C2 servers associated with this cluster are listed in Table 1.\r\nIP Address TLS Common Name License Key Serial Number\r\n194[.]180[.]191[.]51 mar5 DCVTTTUUEEW23 NSM896597\r\n194[.]180[.]191[.]168 mar4 DCVTTTUUEEW23 NSM896597\r\n194[.]180[.]191[.]171 mar3 DCVTTTUUEEW23 NSM896597\r\n5[.]181[.]159[.]60 mar1 DCVTTTUUEEW23 NSM896597\r\n194[.]180[.]191[.]17 mar2 DCVTTTUUEEW23 NSM896597\r\n94[.]158[.]245[.]66 apr2 DCVTTTUUEEW23 NSM896597\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 3 of 29\n\nIP Address TLS Common Name License Key Serial Number\r\n94[.]158[.]245[.]81 apr3 DCVTTTUUEEW23 NSM896597\r\n185[.]225[.]17[.]74 apr4 DCVTTTUUEEW23 NSM896597\r\n194[.]180[.]191[.]189 apr1 DCVTTTUUEEW23 NSM896597\r\n5[.]252[.]178[.]123 may5 EVALUSION NSM165348\r\n94[.]158[.]245[.]104 may1 EVALUSION NSM165348\r\n94[.]158[.]245[.]115 may2 EVALUSION NSM165348\r\n94[.]158[.]245[.]118 may3 EVALUSION NSM165348\r\n94[.]158[.]245[.]131 may4 EVALUSION NSM165348\r\n94[.]158[.]245[.]137 may53 EVALUSION NSM165348\r\n94[.]158[.]245[.]13 june2 EVALUSION NSM165348\r\n94[.]158[.]245[.]174 june6 EVALUSION NSM165348\r\n94[.]158[.]245[.]140 june1 EVALUSION NSM165348\r\n185[.]163[.]45[.]30 june7 EVALUSION NSM165348\r\n94[.]158[.]245[.]63 june3 EVALUSION NSM165348\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 4 of 29\n\nIP Address TLS Common Name License Key Serial Number\r\n94[.]158[.]245[.]111 june7 EVALUSION NSM165348\r\n94[.]158[.]245[.]135 june5ebatquot EVALUSION NSM165348\r\n5[.]252[.]178[.]23 july9 EVALUSION NSM165348\r\n185[.]163[.]45[.]41 july1 EVALUSION NSM165348\r\n185[.]163[.]45[.]61 july3 EVALUSION NSM165348\r\n185[.]163[.]45[.]73 july4 EVALUSION NSM165348\r\n185[.]163[.]45[.]87 july6 EVALUSION NSM165348\r\n185[.]163[.]45[.]97 july8 EVALUSION NSM165348\r\n185[.]163[.]45[.]130 july9 EVALUSION NSM165348\r\nTable 1: NetSupport RAT C2 servers linked to Cluster 1 (Source: Recorded Future)\r\nNotably, the NetSupport RAT C2 servers in Cluster 1 are connected not only through the characteristics previously\r\ndescribed, but also by the near-simultaneous creation of their TLS certificates. For example, the TLS certificate\r\nwith the common name june5ebatquot associated with IP address 94[.]158[.]245[.]135 was generated on June\r\n30, 2025 at 4:55:20 PM, while the certificate with the common name june6 linked to 94[.]158[.]245[.]174 was\r\ncreated only 20 seconds later.\r\nCluster 2\r\nCluster 2 comprises NetSupport RAT command-and-control servers whose TLS certificates typically start with\r\ntwo or more repetitions of “s”, followed by an “i” and a number (so “ sssi3 ”, for example). NetSupport RAT\r\nsamples linked to Cluster 2 used the license key XMLCTL and serial number NSM303008 . The NetSupport RAT\r\nC2 servers typically also host an instance of the vulnerability scanner Acunetix. The C2 servers associated with\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 5 of 29\n\nthis cluster are listed in Table 2. Notably, all TLS certificates associated with this cluster were created in a single\r\nbatch on June 17, 2025.\r\nIP Address TLS Common Name License Key Serial Number\r\n5[.]181[.]159[.]112 sssi3 XMLCTL NSM303008\r\n5[.]181[.]159[.]9 ssi1 XMLCTL NSM303008\r\n5[.]181[.]159[.]38 sssi2 XMLCTL NSM303008\r\n5[.]181[.]159[.]140 ssssi6 XMLCTL NSM303008\r\n5[.]181[.]159[.]143 ssssi8 XMLCTL NSM303008\r\n5[.]181[.]159[.]142 sssssi7 XMLCTL NSM303008\r\n5[.]181[.]159[.]139 ssssi5 XMLCTL NSM303008\r\nTable 2: NetSupport RAT C2 servers linked to Cluster 2 (Source: Recorded Future)\r\nOf note, one NetSupport RAT C2 server (94[.]158[.]245[.]56) used a TLS certificate with the common name\r\n23sss, created in May 2025, and was linked to a NetSupport RAT sample that carried the same license key\r\n( EVALUSION ) and serial number ( NSM165348 ) previously observed in Cluster 1.\r\nOther NetSupport RAT C2 Servers\r\nInsikt Group identified an additional set of NetSupport RAT C2 servers linked to GrayCharlie that did not form a\r\ndistinct cluster (see Table 3). However, all the servers were hosted by MivoCloud and were associated with\r\nNetSupport RAT samples using license key and serial number combinations observed in Clusters 1 and 2.\r\nIP Address TLS Common Name License Key Serial Number\r\n5[.]181[.]159[.]29 ssdecservicsdes N/A N/A\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 6 of 29\n\nIP Address TLS Common Name License Key Serial Number\r\n194[.]180[.]191[.]18 papichssd2 DCVTTTUUEEW2 NSM896597\r\n94[.]158[.]245[.]153 kosmo2 XMLCTL NSM303008\r\n94[.]158[.]245[.]170 normvork XMLCTL NSM303008\r\n5[.]181[.]159[.]62 ffdds DCVTTTUUEEW23 NSM896597\r\n5[.]181[.]156[.]234 wedn1 XMLCTL NSM303008\r\n5[.]252[.]178[.]35 scgs234123 XMLCTL NSM303008\r\n194[.]180[.]191[.]209 novemsdf XMLCTL NSM303008\r\n5[.]181[.]156[.]244 wends4 XMLCTL NSM303008\r\n194[.]180[.]191[.]121 novaksuur EVALUSION NSM165348\r\n5[.]252[.]177[.]120 lohsd XMLCTL NSM303008\r\n5[.]252[.]177[.]15 bounce XMLCTL NSM303008\r\n185[.]163[.]45[.]16 update1 XMLCTL NSM303008\r\nTable 3: Additional NetSupport RAT C2 servers linked to GrayBravo (Source: Recorded Future)\r\nStaging Infrastructure\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 7 of 29\n\nOnce GrayCharlie victims land on the compromised WordPress sites, thereby satisfying the conditional logic, the\r\npayload is typically fetched from the attacker-controlled infrastructure and injected into the compromised\r\nWordPress sites. Insikt Group has identified two distinct types of staging infrastructure, each characterized by\r\ndifferent website templates. Type 1 is modeled after “Wiser University,” and Type 2 is modeled after “Activitar.”\r\nType 1: “Wiser University”\r\nThe IP addresses associated with the Type 1 staging infrastructure are linked to websites impersonating “Wiser\r\nUniversity” (see Figure 2), a fictional entity used to demonstrate Wiser, a free Bootstrap HTML5 education\r\nwebsite template for school, college, and university websites. (As a sidenote, Oreshnik is the name of a Russian\r\nintermediate-range ballistic missile reportedly capable of speeds exceeding Mach 10.) Appendix B lists the IP\r\naddresses associated with the Type 1 staging infrastructure. All IP addresses, except for one, are announced by\r\nAS202015 (HZ Hosting Ltd).\r\nFigure 2: Website impersonating “Wiser University” (Source: Recorded Future)\r\nSuspected Testing Infrastructure\r\nAlthough most IP addresses associated with the Type 1 staging infrastructure are announced by AS202015, as\r\nshown in Appendix B, Insikt Group also identified a small subset announced by other ASNs that host the same\r\nwebsites (see Table 4). On average, approximately one such IP address appears to be established each month.\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 8 of 29\n\nNotably, most of these IP addresses appear to geolocate to Russia, and the same ASNs are consistently reused\r\nwithin the same timeframe.\r\nIP Address ASN Country Date of Emergence\r\n89[.]253[.]222[.]25 AS41535 RU 2025-08-29\r\n89[.]253[.]222[.]156 AS41535 RU 2025-08-26\r\n89[.]169[.]12[.]48 AS207957 GB 2025-07-08\r\n185[.]231[.]245[.]158 AS202984 RU 2025-06-27\r\n95[.]182[.]123[.]86 AS202984 RU 2025-05-19\r\n23[.]140[.]40[.]66 AS61400 RU 2025-04-11\r\n217[.]114[.]15[.]253 AS198610 RU 2025-04-09\r\n45[.]153[.]191[.]245 AS198610 RU 2025-03-21\r\n46[.]29[.]163[.]28 AS51659 RU 2025-02-06\r\nTable 4: Additional infrastructure possibly linked to GrayCharlie (Source: Recorded Future)\r\nType 2: “Activitar”\r\nInsikt Group identified an additional set of staging infrastructure, referred to as “Type 2.” The IP addresses in this\r\ncluster commonly host specific websites (see Figure 3). Insikt Group assesses that this template was sourced\r\nelsewhere and is not unique to GrayCharlie.\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 9 of 29\n\nFigure 3: Website impersonating “Activitar” (Source: Recorded Future)\r\nA subset of domains and IP addresses associated with Type 2 is presented in Table 5. Notably, most of the IP\r\naddresses are also announced by AS202015 (HZ Hosting Ltd), and one domain in Table 5,\r\nfilmlerzltyazilimsx[.]shop, is linked to the email address oreshnik[@]mailum[.]com through its WHOIS record.\r\nDomain IP Address ASN\r\nfilmlerzltyazilimsx[.]shop 79[.]141[.]163[.]169 AS202015\r\nfoolowme[.]com 144[.]172[.]115[.]211 AS14956\r\njoiner[.]best 79[.]141[.]162[.]135 AS202015\r\nlowi1[.]com 185[.]33[.]86[.]11 AS202015\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 10 of 29\n\nDomain IP Address ASN\r\nmorniksell[.]com 172[.]86[.]90[.]84 AS14956\r\npersistancejs[.]store 185[.]80[.]53[.]79 AS59711\r\npomofight[.]com 45[.]61[.]134[.]76 AS14956\r\nport4loms[.]com 194[.]15[.]216[.]118 AS197155\r\nsignaturepl[.]com 77[.]83[.]199[.]162 AS202015\r\nyungask[.]com 91[.]193[.]19[.]220 AS202015\r\nTable 5: Domains and IP addresses linked to Type 2 staging infrastructure (Source: Recorded Future)\r\nCompromised Infrastructure\r\nGrayCharlie commonly injects malicious scripts into the Document Object Model (DOM) of compromised\r\nWordPress sites using script tags. Insikt Group has identified several recurring URL patterns tied to this activity:\r\nsome URLs load externally hosted JavaScript files (such as hxxps://joiner[.]best/work/original[.]js), while others\r\ncall a PHP file on specific endpoints using an ID parameter (such as hxxps://signaturepl[.]com/work/index[.]php?\r\nabje2LAw). Notably, these URLs are updated over time by the threat actor, complicating detection and indicating\r\nthe threat actor maintains ongoing access to a large pool of compromised WordPress installations. Appendix A\r\nlists a subset of WordPress websites infected by GrayCharlie.\r\nAlthough the exact initial access vector is unknown, it is likely that the actors either purchase access, such as via\r\nmalware logs containing WordPress admin credentials, or exploit vulnerable WordPress plugins. The latter\r\nremains the most frequent cause of all WordPress compromises.\r\nSuspected Compromise of “Law Firm Acceleration Company” SMB Team\r\nWhile the GrayCharlie-linked compromised WordPress sites span a wide range of industry verticals, in a few rare\r\ninstances, the threat actors appear to have obtained, either through their own intrusions or via a third party, a more\r\ntargeted set of WordPress domains. Specifically, at least fifteen websites belonging to US law firms were observed\r\nloading the external JavaScript hosted at hxxps://persistancejs[.]store/work/original[.]js (see Table 6).\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 11 of 29\n\nInsikt Group assesses that GrayCharlie (or the third party GrayCharlie works with) likely compromised these\r\nwebsites through a supply-chain vector. One potential avenue is SMB Team, the self-described “fastest-growing\r\nlaw firm acceleration company,” which has supported thousands of firms across North America, according to its\r\nwebsite, as its logo and other references appear across many of the websites listed in Table 6 (see Figure 4).\r\nNotably, credentials associated with an SMB Team email address used for a WordPress hosting platform surfaced\r\naround the same time that the domain persistancejs[.]store first began resolving. This temporal overlap suggests\r\nthat the threat actors may have gained access to SMB Team-related infrastructure through the use of legitimate,\r\ncompromised credentials.\r\nDomain Company Country\r\nSMB\r\nTeam\r\nbianchilawgroup[.]com Bianchi Law Group US Yes\r\nbrattonlawgroup[.]com Bratton Law Group US Yes\r\nbrighterdaylaw[.]com Brighter Day Law US N/A\r\ndefensegroup[.]com The Defense Group US Yes\r\ndwicriminallawcenter[.]com Benjamin Law Firm LLC US Yes\r\nfisherstonelaw[.]com Fisher Stone, P.C. US Yes\r\njarrettfirm[.]com Jarrett \u0026 Price LLC US Yes\r\nraineyandrainey[.]com Rainey \u0026 Rainey Attorneys At Law PLLC US Yes\r\nrbbfirm[.]com Buchanan Law Group US Yes\r\nrmvlawyer[.]com The Law Office of Brian Simoneau, P.C. US Yes\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 12 of 29\n\nDomain Company Country\r\nSMB\r\nTeam\r\nwww[.]brentadams[.]com Brent Adams \u0026 Associates US Yes\r\nwww[.]cfblaw[.]com Cohen Forman Barone, PC US Yes\r\nwww[.]gerlinglaw[.]com Gerling Law Injury Attorneys US Yes\r\nwww[.]immigration-defense[.]com Law Offices of Daniel Shanfield US Yes\r\nwww[.]schwartzandschwartz[.]com\r\nSchwartz \u0026 Schwartz Attorneys at Law,\r\nP.A.\r\nUS N/A\r\nTable 6: Compromised law firm websites linked to GrayCharlie (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 13 of 29\n\nFigure 4: Website of Gerling Law Injury Attorneys (top) and SMBTeam logo (bottom) (Source: URLScan)\r\nNotably, while an SMB Team compromise is possible, Insikt Group also assesses that the actors may have\r\nexploited a specific version of WordPress or its plugins used by SMB Team, which could explain the simultaneous\r\ncompromise of all affected websites.\r\nIn some instances, the same compromised WordPress sites are compromised by multiple threat actors\r\nsimultaneously. For example, bianchilawgroup[.]com was also breached by TAG-124 (also known as\r\nLandUpdate808 or Kongtuke) since at least December 2025, which used the domain vimsltd[.]com.\r\nHigher-Tier Analysis\r\nGrayCharlie administers its staging infrastructure primarily over SSH, though other ports are used intermittently.\r\nThe group manages its NetSupport RAT C2 servers over TCP port 443. Overall, Insikt Group assesses that\r\nGrayCharlie relies extensively on proxy services to administer its infrastructure. Additionally, based on presumed\r\nbrowsing activity from higher-tier servers, at least some individuals linked to GrayCharlie are assessed to be\r\nRussian-speaking.\r\nAttack-Chain Analysis\r\nGrayCharlie has been observed using two different attack chains to deliver NetSupport RAT. The first chain uses\r\ncompromised websites to distribute a fake browser update that triggers the retrieval and installation of a script-based payload; the second chain uses compromised WordPress sites and a ClickFix-style lure that copies a\r\ncommand to fetch and install the RAT. Both culminate in NetSupport execution from %AppData% , Registry Run\r\nkey persistence, and C2 connectivity; the technical details are expanded below.\r\nAttack Chain 1: Fake Browser Update Leading to NetSupport RAT\r\nAccording to public reporting, when GrayCharlie first became active in mid-2023, it relied on fake browser\r\nupdates to deliver the NetSupport RAT. Although the group later shifted to the ClickFix technique, Insikt Group\r\nobserved a return to fake browser updates as early as October 12, 2025. Figure 5 provides an overview of Attack\r\nChain 1.\r\nFigure 5: Attack Chain 1 (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 14 of 29\n\n1. Website compromise and lure delivery. Threat actors modify legitimate sites to load malicious scripts\r\nthat render a browser-specific “update” prompt. Selecting the prompt initiates download of a ZIP “update”\r\npackage containing a primary JavaScript file alongside decoy .dat files.\r\n2. User-executed JavaScript loader. The victim manually runs the .js script. The script mimics a benign\r\nbrowser component to reduce suspicion while silently initiating the next stage of the attack.\r\n3. PowerShell staging via WScript. The JavaScript launches wscript.exe , which spawns\r\npowershell.exe . PowerShell reaches out to a remote host to fetch an obfuscated JavaScript containing\r\nencoded tasking.\r\n4. Secondary payload retrieval. PowerShell decodes instructions and downloads the actual payload ZIP\r\narchive. This archive contains a complete NetSupport RAT client set, including client32.exe and\r\nrequired DLLs.\r\n5. File deployment and execution. The archive is extracted under the user profile (for example,\r\n%AppData%\\Roaming\\... ). client32.exe is started in the background to minimize visible indicators to\r\nthe user.\r\n6. Persistence establishment. A Windows Run registry key is created to automatically launch\r\nclient32.exe at logon, ensuring the NetSupport RAT remains active after reboots without requiring\r\nfurther user interaction.\r\n7. C2 readiness. With the NetSupport RAT client running on the infected host, the endpoint is prepared to\r\nestablish command-and-control connectivity with the attacker's infrastructure.\r\nAttack Chain 2: WordPress Redirects and ClickFix Leading to NetSupport RAT\r\nAs early as April 2025, GrayCharlie began using ClickFix as a secondary attack chain, consistent with industry\r\nreporting that many threat actors have adopted ClickFix techniques due to their effectiveness. Figure 6 provides\r\nan overview of Attack Chain 2.\r\nFigure 6: Attack Chain 2 (Source: Recorded Future)\r\n1. Initial delivery and redirection. Phishing emails, malicious PDFs, or links on gaming sites direct users to\r\ncompromised WordPress pages that embed attacker JavaScript.\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 15 of 29\n\n2. Background script and profiling. A background script loads when the site is visited, injects an iframe,\r\nand profiles the environment (such as the operating system and browser) to deliver the next stage.\r\n3. ClickFix fake CAPTCHA. The page presents a fake CAPTCHA that quietly copies a malicious command\r\nto the user’s clipboard and instructs them to paste it into the Windows Run dialog (Win+R), turning social\r\nengineering into user-assisted execution (see Figure 7).\r\nFigure 7: Fake Captcha (Source: Elastic)\r\n1. Command-driven staging. The pasted command retrieves a batch file that downloads a ZIP containing\r\nNetSupport RAT and uses PowerShell to extract it into %AppData%\\Roaming\\ (see Figure 8).\r\npowershell -Win^dow Style Hidden -Command \"Add-Type -AssemblyName 'System. IO.Compression\r\nFileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('!CF0JOAXML!','!WFHEYHKMZ!')\"\r\nFigure 8: PowerShell command (Source: Cybereason)\r\n1. NetSupport RAT launch and persistence. The batch file starts client32.exe and sets a Run registry\r\nkey to automatically relaunch the NetSupport RAT client at startup, establishing persistence on the\r\nendpoint.\r\n2. Remote access and follow-on actions. Once connected to C2, operators can interact with the system,\r\nperform reconnaissance (for example, domain group membership queries), transfer files, execute additional\r\ncommands, and potentially move laterally using access acquired from the host.\r\nObserved Operator Activity\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 16 of 29\n\nIn October 2025, Insikt Group detonated a NetSupport RAT sample (SHA256:\r\n31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c) with the C2 server\r\n5[.]181[.]156[.]234[:]443 linked to GrayCharlie within a controlled environment. Later that day, approximately\r\nthree hours later, the threat actor connected using NetSupport RAT, compressed and moved two files, and then\r\nexecuted group and account reconnaissance commands. The same actor returned three days later and repeated the\r\npreviously observed reconnaissance commands (see Figure 9).\r\nnet group /domain \"Domain COmputers\"\r\nC:\\Windows\\system32\\net1 group /domain \"Domain COmputers\"\r\nFigure 9: Reconnaissance commands (Source: Recorded Future)\r\nWhen both files were compressed into a single ZIP archive and the executable was detonated, the process\r\nsideloaded a DLL identified as Sectop RAT (SHA256:\r\n59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78) with the C2 server\r\n85[.]158[.]110[.]179[:]15847. The executable (SHA256:\r\n5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428) was identified as “Merge XML\r\nFiles”, version 1.2.0.0, developed by Vovsoft, and was signed with a digital certificate that expired on October 31,\r\n2025.\r\nMitigations\r\nLeverage the IoCs in Appendix A and Appendix B to investigate potential past or ongoing infections, both\r\nsuccessful and attempted; Recorded Future customers can use the Recorded Future Intelligence Operations\r\nPlatform to monitor for future IoCs associated with GrayCharlie.\r\nMonitor for validated infrastructure associated with the malware families discussed in this report, including\r\nNetSupport RAT and Stealc, as well as numerous others identified and validated by Insikt Group, and\r\nintegrate these indicators into relevant detection and monitoring systems.\r\nLeverage the Sigma, YARA, and Snort rules provided in Appendices D, E, and F in your security\r\ninformation and event management (SIEM) or endpoint detection and response (EDR) tools to detect the\r\npresence or execution of NetSupport RAT. Customers can use additional detection rules available in the\r\nRecorded Future Intelligence Operations Platform.\r\nUse Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate\r\ninfrastructure to known malicious infrastructure.\r\nUse the Recorded Future Intelligence Operations Platform to monitor GrayCharlie, other threat actors, and\r\nthe broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures\r\n(TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat\r\nactors), and emerging developments.\r\nUse Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to your\r\ncompany. For example, if you want to stay informed about activities related to GrayCharlie, you can\r\nreceive regular AI-generated updates on this threat actor.\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 17 of 29\n\nOutlook\r\nGrayCharlie has been operating for more than two years, and despite shifts in its tactics, such as alternating\r\nbetween fake updates and ClickFix techniques or transitioning from SmartApe to other hosting providers like\r\nMivoCloud, the group’s core behaviors have remained consistent. Given its sustained activity, GrayCharlie is\r\nhighly likely to remain active and continue targeting organizations worldwide, with a current emphasis on US\r\nentities, as indicated by Recorded Future Network Intelligence.\r\nInsikt Group will continue to closely monitor GrayCharlie to detect emerging threats and evaluate the group’s\r\nstrategic direction within the broader cybercriminal ecosystem.\r\nAppendix A: Indicators of Compromise\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 18 of 29\n\nCluster 1 NetSupport RAT C2 IP Addresses:\r\n5[.]181[.]159[.]60\r\n5[.]252[.]178[.]23\r\n5[.]252[.]178[.]123\r\n94[.]158[.]245[.]13\r\n94[.]158[.]245[.]63\r\n94[.]158[.]245[.]66\r\n94[.]158[.]245[.]81\r\n94[.]158[.]245[.]104\r\n94[.]158[.]245[.]111\r\n94[.]158[.]245[.]115\r\n94[.]158[.]245[.]118\r\n94[.]158[.]245[.]131\r\n94[.]158[.]245[.]135\r\n94[.]158[.]245[.]137\r\n94[.]158[.]245[.]140\r\n94[.]158[.]245[.]174\r\n185[.]163[.]45[.]30\r\n185[.]163[.]45[.]41\r\n185[.]163[.]45[.]61\r\n185[.]163[.]45[.]73\r\n185[.]163[.]45[.]87\r\n185[.]163[.]45[.]97\r\n185[.]163[.]45[.]130\r\n185[.]225[.]17[.]74\r\n194[.]180[.]191[.]17\r\n194[.]180[.]191[.]51\r\n194[.]180[.]191[.]168\r\n194[.]180[.]191[.]171\r\n194[.]180[.]191[.]189\r\nCluster 2 NetSupport RAT C2 IP Addresses:\r\n5[.]181[.]159[.]9\r\n5[.]181[.]159[.]38\r\n5[.]181[.]159[.]112\r\n5[.]181[.]159[.]139\r\n5[.]181[.]159[.]140\r\n5[.]181[.]159[.]142\r\n5[.]181[.]159[.]143\r\nOther NetSupport RAT C2 Servers:\r\n5[.]181[.]156[.]234\r\n5[.]181[.]156[.]244\r\n5[.]181[.]159[.]29\r\n5[.]181[.]159[.]62\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 19 of 29\n\n5[.]252[.]177[.]15\r\n5[.]252[.]177[.]120\r\n5[.]252[.]178[.]35\r\n94[.]158[.]245[.]153\r\n94[.]158[.]245[.]170\r\n185[.]163[.]45[.]16\r\n194[.]180[.]191[.]18\r\n194[.]180[.]191[.]121\r\n194[.]180[.]191[.]209\r\nNetSupport RAT Hashes:\r\n06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268\r\n0e9df9294c36702eee970efcb4a70b6ddb433190ab661273e2e559185c55b6c1\r\n112bf17e7c0d0695e9229d60f0d2734c6b96d7edfb41ea3e98e518f4fb1ae6e9\r\n11370e108c8e7a53e52f01df0829c8addb5833145618a7701fbedbb1d837a43d\r\n15dfe9d443027ba01b8f54f415fd74d373b3a06017db8ef110fb55b33357b190\r\n16c8b5e10135d168d73a553a4bda51628e5b4fd419c0ecd47ca4cd7aa864ebd5\r\n18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d\r\n1900ca9b482273df3127e221526023c025808d8fd65769a418fe1f346e7d41e2\r\n1c389bf1859a00c58b6a97c02fc26c2fe9766c43e06242a94e92b6585b62398b\r\n21a24922b29742977c4f7e25dd2be056dc02bc5e70c98e32ec3e0c6206f4d9ef\r\n312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67\r\n31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c\r\n31f69d67eca6f3fc837e8d10dff4e2fb6643e33c118cff87df4fee2b183bf0e0\r\n37e8b57ff4d724053b1917dc6edaca0708d44ceecd00cab7e4cabb336c2868d7\r\n3ac57bea954ce68dc937f6954ae8a6a19a367a579aeeda7cc93ddd5968fae250\r\n3ada20fbd80ec7f536db8303a5fa029af741a6914de61376ac8f81ac3ac728fd\r\n3b5658532bc4058131689c5641def85d7ae25d5b837d3d1aff3af7bb25581f17\r\n3c499faac4b973c237670f046973691a245ecd735ffebcca3e93337d94b71cde\r\n3c4b87be8450e3120b7ad2b11ff59850950beb39906dc1636b3ee7b6390f2086\r\n4732f025a2a69f6c40787854c5da122689702f00f4f423061bb30ab7fa1e98d3\r\n5381b2a7a77448c4908f5c79d21631f56c88ead0365981cac1dcaafe493c313e\r\n53e9511401000f61c9d910b92cd6d5a58e38ae541975135944885e53fa91ecb7\r\n5dfbd8cf98ebd4977d4f240dcabd5cd67b936c0095c2d5b9a77896daea877df6\r\n5eebdb584a1acd6aacc36c59c22ec51bbd077d2dbbe0890b52e62fa6fb9cf784\r\n5ff742e134e3d17ec7abea435f718e8f5603b95e7984e024b2310ac9ef862ddf\r\n60ff43424c0ba9dc259ab32405345ef325a4cb4d0baf0c0b0c13f9d3672e99eb\r\n68c6411cc9afa68047641932530cf7201f17029167d4811375f1458cae32c7bd\r\n6b2c41b42f75e64d435ba56c2f2b6d79a11b862a2d994487dab3e51e298bc5c9\r\n6b93b7372941a09f1ea69f8b71c5c4e211ea0f8a24061e702002ca84457bcddd\r\n6d0857a9c77f9c5f2a5e6921e1cb9f7e1a5d6b947ad63b364d291157d3f840fb\r\n70f3a6fdbbc5e2ae79c28b48b6478ee3c8ea6f2b705ca9dc9bf8e63a4f6e0c8d\r\n72baf2ecb0a9df607e54b64c0925ffc6739ab5a8b18900bf5c1930bcc799395d\r\n748d546c6db44f6aa4bbb8e586d79f56c63fa87580eb19a0f2d5079cbe0952b7\r\n79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89\r\n797ae2dbb2c538710fefe75dbe380b9f55b614cb03c4ae09bb3172e8234dd9d9\r\n7a73ae8cca6ce6fa88f89d6154811cb453d6e6db9fa8ed5fbdaf8895aae601a5\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 20 of 29\n\n7b19538dcf6d4bb84590c458f09c5707c8db53a42861fa56533c49c1a3acd953\r\n7e3634bfd66e601d7585b237437f11f7d614b33705ba5f7bd75ab176c8250d38\r\n858dfa529b960c6f6226b53beb55ba1900d3f498ba7be40724ed5c16d7d5a44b\r\n871e5629d9c8898babf3ed579586e3f5f94a6c4623d3a0a7f9a99bf9d95ffc7b\r\n8763749fd09245e7fa8c0ee2cc797d5520a9ef5d6846f044a0cd7c969c4bd7d4\r\n89d839bbdc786c006304f3c6c6939150380aaa9e84d82bc31cdf0cf7609a6243\r\n8b21fbd40c89763f51d5e06680c0971623500f4724c25958446bac794797057b\r\n8baebd525324297faf86639266060172ded963767c832a609a991fa92c8463ab\r\n8d1ed904d90e08048f42cdc9a25c2159f0f8dc4aa9dc01b0207645ea53abe189\r\n957ab8417606ad41ad31f006d997af3f647dd5215af899551d08b3b472a4bc85\r\na0332fe0baa316fe793e757f9cf5938b099e97dc4624ead6f3bad8555c8a419b\r\na1482e62ecc89696a75adea7052c2e98a75c9d37304723abd110d60962bafdb7\r\na28d0c82a2a37462c2975b5eda7f91e8fc3c2ed50abfe357948ec4faabbd4951\r\na6637685091835826e62af279cc6c648188797f9edc05a2399a6686349102774\r\na6f1f68827303e655488c8d54b3be3ce8b1097f3ff374a2e4bc82ff96812781c\r\nabc5b2118bc1d8c82f3726a5e30cf22ae3fa1c572dd3327b281ea6fd97ae9c06\r\nafc45cc0df7f7e481bff45c6f62a6418b6ae4c8b474ec36113e05ab7ca7e2743\r\nb1f91355a8472e364e07f05dc69bbd9c74dc1943e9c4475f46c2b448bb6d6e5d\r\nb2b7218c3f649b9077510aac309357e884c314e0f488abed391415defb249f4c\r\nb6b685fe020c481161060df9dbef0fc205cde479056c18aaeae184daa3f8a9c0\r\nb784301cb2edafea875f779cf24e018f06732561069f6c4c3d86548029671642\r\nba557bd6b2c1d3297b2c9bd7294e47b9ad9ec6a937cddc879dd563c61a9abcbd\r\nbb451151e52f0868f98e32d26ffa7c2be412b47cd470bf90d3cfe777b4a19f85\r\nbd39f32177dc7a20f5087c5460ebf589035d9051336c69f07a26398f76aec40e\r\nbf37542e9eb7a3b2f51d107e56d7551e6248f06ce18918e3dda2ebe9da1b0e80\r\nbf97c4ff35b5e2c039aa1f1a9a164b7ec4d9339a631c84910b9a4d03b7927b8a\r\nc2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634\r\nc3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e\r\nc441afb337c4803eed20ae255fbad3cdfac2800475c51e00a55369909efb4c89\r\ncc6ad344d30178e04e49ab16cd43744925676562aded051835fb3f73401f31fa\r\nceab18331f785d0bf215f551b90f00567e36d339ba8e3ed8e45c0ad410b25808\r\nd02a1eb597c66b602ac7d55095f771345ff5e90905ea12e523df2095030752b6\r\nd6142f48664208710bab9fcab8dfcda66ad75ad756d2ce9c3aa243dcbc29bf4a\r\nd665a8547baf067f2216821ecd4145eab1c75868f024d09140fb265b819d5194\r\nd8d2092e174240d7bac63a9e1c199b442e1cb0f39d7fa32510b1aa7717c3ae38\r\ne24de02415946133176b66017d54a5dcd7270c83f5ef01d79faff4e64d13c63b\r\ne5502722c2bb84876903549445534c47cdaa586a0bb1e5b3a53162d75cc6cb28\r\ne66ae0ac443b5140a1b35b5aaa6899eea296d9d633988eb044a395a34a887431\r\ne92e01977d85f6834f57bd09e29e654b10da798844e4a64470cb22dac78bef93\r\ne9723a2a9ca45787c35b864605a6be71ccf12b2d96dad8e7fc39117f7ba29abb\r\nf28bb7bc5c801d5444ba6816e3a91d5bfaf0307578b7a1529415fc220fd9e9e8\r\nf86b6aa11a276c24dd80db48f43c8a2f0c8df6e5426a7a0fee322c0427421ebb\r\n“Type 1” Staging Server IP Addresses:\r\n77[.]83[.]199[.]3\r\n77[.]83[.]199[.]15\r\n77[.]83[.]199[.]31\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 21 of 29\n\n77[.]83[.]199[.]42\r\n77[.]83[.]199[.]73\r\n77[.]83[.]199[.]82\r\n77[.]83[.]199[.]88\r\n77[.]83[.]199[.]90\r\n77[.]83[.]199[.]112\r\n77[.]83[.]199[.]123\r\n77[.]83[.]199[.]132\r\n77[.]83[.]199[.]142\r\n77[.]83[.]199[.]170\r\n79[.]141[.]160[.]24\r\n79[.]141[.]160[.]34\r\n79[.]141[.]161[.]50\r\n79[.]141[.]161[.]171\r\n79[.]141[.]162[.]35\r\n79[.]141[.]162[.]37\r\n79[.]141[.]162[.]50\r\n79[.]141[.]162[.]132\r\n79[.]141[.]162[.]149\r\n79[.]141[.]162[.]169\r\n79[.]141[.]162[.]177\r\n79[.]141[.]162[.]181\r\n79[.]141[.]162[.]187\r\n79[.]141[.]162[.]204\r\n79[.]141[.]162[.]229\r\n79[.]141[.]163[.]138\r\n79[.]141[.]163[.]176\r\n79[.]141[.]172[.]204\r\n79[.]141[.]172[.]223\r\n79[.]141[.]172[.]229\r\n79[.]141[.]172[.]232\r\n79[.]141[.]172[.]240\r\n79[.]141[.]173[.]60\r\n79[.]141[.]173[.]161\r\n79[.]141[.]173[.]168\r\n85[.]158[.]111[.]29\r\n85[.]158[.]111[.]38\r\n85[.]158[.]111[.]53\r\n85[.]158[.]111[.]75\r\n85[.]158[.]111[.]81\r\n85[.]158[.]111[.]126\r\n89[.]46[.]38[.]34\r\n89[.]46[.]38[.]48\r\n89[.]46[.]38[.]88\r\n89[.]169[.]12[.]48\r\n91[.]193[.]19[.]32\r\n91[.]193[.]19[.]64\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 22 of 29\n\n91[.]193[.]19[.]78\r\n91[.]193[.]19[.]127\r\n91[.]193[.]19[.]163\r\n91[.]193[.]19[.]188\r\n91[.]193[.]19[.]190\r\n98[.]142[.]240[.]165\r\n98[.]142[.]240[.]188\r\n98[.]142[.]240[.]214\r\n98[.]142[.]240[.]221\r\n98[.]142[.]240[.]246\r\n98[.]142[.]251[.]26\r\n98[.]142[.]251[.]32\r\n98[.]142[.]251[.]42\r\n98[.]142[.]251[.]53\r\n185[.]33[.]84[.]131\r\n185[.]33[.]84[.]153\r\n185[.]33[.]84[.]169\r\n185[.]33[.]85[.]20\r\n185[.]33[.]85[.]26\r\n185[.]33[.]85[.]33\r\n185[.]33[.]85[.]38\r\n185[.]33[.]85[.]52\r\n185[.]33[.]86[.]37\r\n193[.]42[.]38[.]11\r\n193[.]42[.]38[.]79\r\n193[.]42[.]38[.]85\r\n193[.]42[.]38[.]86\r\n193[.]111[.]208[.]2\r\n193[.]111[.]208[.]17\r\n193[.]111[.]208[.]19\r\n193[.]111[.]208[.]23\r\n193[.]111[.]208[.]24\r\n193[.]111[.]208[.]46\r\n193[.]111[.]208[.]75\r\n193[.]111[.]208[.]97\r\n193[.]111[.]208[.]100\r\nAdditional IP Addresses Likely Linked to “Type 1” Staging Infrastructure:\r\n23[.]140[.]40[.]66\r\n45[.]153[.]191[.]245\r\n46[.]29[.]163[.]28\r\n89[.]169[.]12[.]48\r\n89[.]253[.]222[.]25\r\n89[.]253[.]222[.]156\r\n95[.]182[.]123[.]86\r\n185[.]231[.]245[.]158\r\n217[.]114[.]15[.]253\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 23 of 29\n\n“Type 2” Staging Server IP Addresses:\r\n45[.]61[.]134[.]76\r\n77[.]83[.]199[.]162\r\n79[.]141[.]162[.]135\r\n79[.]141[.]163[.]169\r\n91[.]193[.]19[.]220\r\n144[.]172[.]115[.]211\r\n172[.]86[.]90[.]84\r\n185[.]33[.]86[.]11\r\n185[.]80[.]53[.]79\r\n194[.]15[.]216[.]118\r\n“Type 2” Staging Server Domains:\r\nfilmlerzltyazilimsx[.]shop\r\nfoolowme[.]com\r\njoiner[.]best\r\nlowi1[.]com\r\nmorniksell[.]com\r\npersistancejs[.]store\r\npomofight[.]com\r\nport4loms[.]com\r\nsignaturepl[.]com\r\nyungask[.]com\r\nDomains Linked to oreshnik[@]mailum[.]com:\r\n108zhao[.]shop\r\n1sou[.]top\r\n6hms[.]top\r\n789pettoys[.]shop\r\n7serv[.]top\r\n99wc[.]top\r\nabocamuseum[.]icu\r\nactionmovies[.]top\r\nalcmz[.]top\r\nalhasba[.]com\r\namxdh1[.]icu\r\nanoteryo[.]top\r\narearugs[.]top\r\nas5yo[.]top\r\nashesplayer[.]top\r\navodaride[.]top\r\nazyaamode[.]shop\r\nbaihao[.]shop\r\nbaihuah[.]top\r\nbedoueroom[.]top\r\nbestproductreviews[.]xyz\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 24 of 29\n\nbestrollerballpen[.]top\r\nblogdojhow[.]com\r\nbnpparibas[.]top\r\nbokra[.]top\r\nbond007[.]xyz\r\nboxworld[.]top\r\nbstionline[.]com\r\nbuildingjobs[.]xyz\r\nbuscavuelosbaratos[.]top\r\nbuyedmeds[.]top\r\nbuylisinopril[.]top\r\ncelebrex[.]top\r\nchaojiwang[.]top\r\nchenyiwen[.]top\r\nchinapark[.]top\r\nchristianlouboutin2017[.]top\r\ncialissale[.]top\r\ncinselurunler[.]xyz\r\ncoinseasygenerator[.]top\r\ncouterfv[.]top\r\ncouturella[.]shop\r\ncovaticonstructioncorp[.]shop\r\ncozartan[.]top\r\ncryptohardware[.]shop\r\ndcdh4[.]shop\r\ndealermobil[.]top\r\ndepechemode[.]shop\r\ndirectoryframework[.]top\r\ndiscountmontblanc[.]top\r\ndiscoveronline[.]top\r\ndoodstream[.]shop\r\ndownloadfreak[.]top\r\nerectilehelp[.]top\r\nfilmezz[.]top\r\nfilmlerzltyazilimsx[.]shop\r\nfjs95[.]shop\r\nfmovies123[.]top\r\nforging[.]top\r\nfragzone[.]top\r\nfranquicias[.]top\r\nfuckhdmov[.]top\r\ngededewe[.]shop\r\ngetin[.]top\r\nglitterygadgets[.]shop\r\ngmartph[.]shop\r\ngmt-a[.]shop\r\ngrandzxc[.]bet\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 25 of 29\n\nguosong[.]top\r\nhaidao10[.]top\r\nheadtechnologies[.]xyz\r\nhealthcareplans[.]top\r\nheim-k[.]shop\r\nhelperection[.]top\r\nhilfe-ed[.]top\r\nhirek[.]top\r\nhowtogetaloan[.]top\r\nida-ci[.]com\r\nislighting[.]top\r\niwine[.]top\r\nizone[.]digital\r\njerseysus[.]top\r\njiezishijie[.]top\r\njkse[.]shop\r\njsmakert[.]shop\r\nk2bsc[.]top\r\nkaestner[.]top\r\nkamagrafr[.]icu\r\nkanshuwang[.]top\r\nkazumaka[.]top\r\nkfzversicherungskosten[.]top\r\nkhusinhthaidanphuong[.]top\r\nkingdomholding[.]top\r\nkrediteonlinevergleichen[.]top\r\nlang3666[.]top\r\nlangwonet[.]top\r\nlayardrama21[.]top\r\nlebensversicherungvergleich[.]top\r\nlevciavia[.]top\r\nlinhua97[.]top\r\nlinksoflondononsale[.]top\r\nlinksoflondonsale[.]top\r\nliruo[.]top\r\nliveskortv[.]shop\r\nloanonline[.]top\r\nloispaigesimenson[.]com\r\nlosartan[.]top\r\nlovedou[.]top\r\nlqsword[.]top\r\nlx7v9[.]top\r\nlycosex[.]top\r\nmachine-a-plastifier[.]com\r\nmanwithedhelp[.]top\r\nmarmocer[.]top\r\nmbpen163[.]top\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 26 of 29\n\nmedicamentsbonmarche[.]top\r\nmeimei68[.]top\r\nmenjimmychooonline[.]top\r\nmilebox[.]shop\r\nmindsetgrowth[.]shop\r\nmm37[.]icu\r\nmonclerjackets[.]top\r\nmoruk[.]xyz\r\nmotocyclenews[.]top\r\nmoviefone[.]top\r\nmoviesone[.]top\r\nmovtime76[.]shop\r\nmovtime78[.]shop\r\nmusicdownloader[.]top\r\nmy-privatebanker[.]top\r\nmybeststream[.]xyz\r\nnackt-bilder[.]top\r\nnana44[.]shop\r\nnewbalancesport[.]top\r\npalcomp3[.]top\r\nparisforrent[.]top\r\npasangiklan[.]top\r\npatekphillipwatches[.]top\r\npielsteel[.]top\r\npravaix[.]top\r\nrag382[.]top\r\nrasin[.]shop\r\nrefanprediction[.]shop\r\nregopramide[.]top\r\nrnsddse[.]top\r\nsales2016[.]top\r\nsdnews[.]top\r\nsearchgo[.]shop\r\nsearchweb[.]top\r\nsemikeren[.]icu\r\nsimvascor[.]icu\r\nsimvascor[.]top\r\nsnapcans[.]top\r\nsneakermall[.]top\r\nsoap2dayfree[.]top\r\nsocialsignals[.]shop\r\nsocksforrocks[.]shop\r\nstreaming-films[.]xyz\r\nsyavsp5[.]top\r\ntdsc[.]top\r\ntechradar[.]top\r\ntiffanyearringforwomen[.]top\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 27 of 29\n\ntodoarmarios[.]top\r\ntodocalefactores[.]top\r\ntodocarritos[.]top\r\ntravelplace[.]top\r\ntrendings[.]top\r\nuniversaltechnology[.]top\r\nuochut[.]shop\r\nvia345[.]top\r\nvillahome[.]top\r\nviloriterso[.]icu\r\nviptravelcentres[.]com\r\nvog168[.]top\r\nwandan[.]top\r\nwap9[.]top\r\nwarpdrive[.]top\r\nwatchesbest[.]top\r\nwavob[.]top\r\nwdwnp[.]top\r\nxelesex[.]top\r\nydh7[.]shop\r\nyntz6[.]shop\r\nyourcialsupply[.]top\r\nyoutubevideo[.]top\r\nyxta[.]top\r\nyybvf[.]top\r\nzaheirx[.]shop\r\nzakachka[.]top\r\nzerolendnow[.]top\r\nzt45gg[.]top\r\nCompromised Law Firm Websites:\r\nbianchilawgroup[.]com\r\nbrattonlawgroup[.]com\r\nbrighterdaylaw[.]com\r\ndefensegroup[.]com\r\ndwicriminallawcenter[.]com\r\nfisherstonelaw[.]com\r\njarrettfirm[.]com\r\nraineyandrainey[.]com\r\nrbbfirm[.]com\r\nrmvlawyer[.]com\r\nwww[.]brentadams[.]com\r\nwww[.]cfblaw[.]com\r\nwww[.]gerlinglaw[.]com\r\nwww[.]immigration-defense[.]com\r\nwww[.]schwartzandschwartz[.]com\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 28 of 29\n\nSectop RAT Hash:\r\n59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78\r\nSecTopRAT C2 IP Address:\r\n85[.]158[.]110[.]179[:]15847\r\nOther Hashes:\r\n5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428\r\nEmail Address Linked to GrayCharlie:\r\noreshnik[@]mailum[.]com\r\nSource: https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nhttps://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\r\nPage 29 of 29",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack"
	],
	"report_names": [
		"graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack"
	],
	"threat_actors": [
		{
			"id": "f942a4c7-44ef-4216-85eb-f8bca8d591cf",
			"created_at": "2026-04-17T02:00:03.798174Z",
			"updated_at": "2026-04-18T02:00:04.268286Z",
			"deleted_at": null,
			"main_name": "GrayCharlie",
			"aliases": [],
			"source_name": "MISPGALAXY:GrayCharlie",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8a13b9be-e36d-4d48-9d19-5c93a62f862f",
			"created_at": "2026-03-08T02:00:03.472285Z",
			"updated_at": "2026-04-18T02:00:04.240861Z",
			"deleted_at": null,
			"main_name": "GrayBravo",
			"aliases": [
				"TAG-150"
			],
			"source_name": "MISPGALAXY:GrayBravo",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4390d8ec-605d-493a-81ee-d5ef80c07046",
			"created_at": "2025-05-29T02:00:03.223467Z",
			"updated_at": "2026-04-18T02:00:04.139431Z",
			"deleted_at": null,
			"main_name": "TAG-124",
			"aliases": [
				"LandUpdate808"
			],
			"source_name": "MISPGALAXY:TAG-124",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1776392400,
	"ts_updated_at": 1776478907,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cab2d9730f70a1c2fc1b71dc4d3c58bbcda8ecd6.pdf",
		"text": "https://archive.orkl.eu/cab2d9730f70a1c2fc1b71dc4d3c58bbcda8ecd6.txt",
		"img": "https://archive.orkl.eu/cab2d9730f70a1c2fc1b71dc4d3c58bbcda8ecd6.jpg"
	}
}