GrayAlpha’s Expanding Arsenal: FIN7-Aligned Threat Actor Deploys Custom Loaders to Spread NetSupport RAT

A newly uncovered campaign by threat actor GrayAlpha, which overlaps with the infamous FIN7 cybercrime syndicate, reveals a sharp escalation in tactics and tooling, according to an in-depth threat analysis by Recorded Future’s Insikt Group.

The investigation exposes a multi-pronged infection campaign leveraging fake browser updates, impersonated 7-Zip download sites, and a traffic distribution system (TDS) known as TAG-124, previously unlinked to GrayAlpha operations.

“While all three infection methods were employed simultaneously, only the fake 7-Zip download pages appear to remain active at the time of writing,” the report notes, warning that some domains were registered as recently as April 2025.

At the core of GrayAlpha’s campaign are two sophisticated PowerShell-based loaders:

• PowerNet, a custom loader that executes NetSupport RAT directly from within MSIX packages, performs domain checks, and employs sandbox evasion tactics.
• MaskBat, an obfuscated variant of the open-source FakeBat, uses string artifacts and custom encryption routines that firmly tie it to the GrayAlpha cluster.

“PowerNet and FakeBat share no underlying code similarities,” the researchers emphasize, highlighting GrayAlpha’s move toward more custom tooling.

Interestingly, the “usradm” string found in MaskBat has also been seen in previous FIN7-linked campaigns, such as the WaterSeed cluster, further reinforcing the overlap.

The report categorizes GrayAlpha’s operations into three major infection paths:

• Fake browser update pages targeting users of Google Meet, SAP Concur, CNN, and LexisNexis.
• Fake 7-Zip download sites, such as 7zip-1508[.]top, which use consistent fingerprinting scripts and lure victims with malvertising.
• TAG-124 TDS, a stealthy redirect network leveraging compromised WordPress sites and malvertising techniques like ClickFix.

“Notably, the use of TAG-124 had not been publicly documented prior to this report,” the Insikt Group states.

The report also details the infrastructure behind these campaigns, tracing many domains to bulletproof hosting providers such as Stark Industries Solutions, H2NEXUS LTD, and Proton66 OOO, entities known for tolerating — or enabling — cybercriminal operations.

All roads in the GrayAlpha campaign lead to NetSupport RAT, a remote access tool frequently abused by threat actors for espionage, data theft, and persistence.

The RAT was deployed using hardcoded license information linked to previous FIN7 activity, specifically license ID MGJFFRT466 and serial number NSM301071.

“Nearly 75% of all NetSupport RAT samples associated with MSIX packages were linked to just two certificate serial numbers,” the report reveals.

Insikt Group connects much of the hosting infrastructure to Baykov Ilya Sergeevich, an entity tied to hip-hosting.com and fortis.host, both known to serve cybercriminal interests. Their analysis led to the identification of over a dozen NetSupport RAT C2 servers, many located within AS26383 (ASNET), a hotbed of malicious activity.

Related Posts:

• TAG-124: A Deep Dive into the Traffic Distribution System Powering Malware Campaigns
• WINELOADER: A Tool for Espionage and Disruption
• Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
• FIN7 Hackers Using Signed Malware and Fake Google Ads to Evade Defenses
• Cisco Talos Warns of Stealthy NetSupport RAT Campaigns