Recored Future’s Insikt Group has released a report on a cybercrime group it tracks as “GrayCharlie,” that overlaps with the threat actor known as "SmartApeSG." GrayCharlie mainly uses hacked WordPress websites to spread malware.
The group, which has been active since mid-2023, injects malicious scripts into compromised WordPress sites. When visitors land on the sites, they are redirected to fake browser update pages or shown ClickFix pop-ups. If victims follow the instructions, they unknowingly download NetSupport RAT, a remote access tool that allows attackers to control victims' systems. In some cases, additional malware such as Stealc or SectopRAT is also deployed.
Researchers found that much of GrayCharlie’s infrastructure is hosted by MivoCloud and HZ Hosting Ltd. This includes command-and-control (C&C) servers used to manage infected systems, as well as staging servers that help deliver the malware.
Insikt Group identified two main clusters of NetSupport RAT servers. One group of servers, active between March and August 2025, used a clear monthly naming pattern in their security certificates and were hosted by MivoCloud. The second group used unusual certificate names starting with repeated “s” letters followed by an “i” and a number. Researchers believe these clusters may represent separate campaigns or different individuals within the same group.
GrayCharlie uses two main attack methods. One shows victims a fake browser update page that installs malware. The other uses ClickFix pop-ups that trick users into copying and running a malicious command.
Most of the hacked WordPress sites appear to have been chosen at random across many industries. However, Insikt Group found at least 15 US law firm websites that were likely compromised around November 2025. Researchers believe this may have happened through a supply-chain attack involving a shared IT provider, possibly through stolen credentials or vulnerable WordPress plugins.
While GrayCharlie’s exact goals are not fully known, the evidence suggests the group is focused on stealing data and making money. Researchers also note the possibility that the group could sell access to other threat actors, though this has not been confirmed.