GrayCharlie Attacks: WordPress Sites Weaponized to Spread NetSupport RAT

A sophisticated threat actor known as GrayCharlie is actively compromising WordPress websites to distribute a potent cocktail of malware, including the notorious NetSupport RAT and Stealc information stealer. By injecting malicious JavaScript into legitimate sites, attackers are turning trusted web pages into launchpads for silent infections that compromise user data and system control. This campaign highlights a growing trend where cybercriminals abuse the reputation of established Content Management Systems (CMS) to bypass security filters and deliver dangerous payloads directly to unsuspecting visitors.

The attack methodology employed by GrayCharlie is stealthy and relies heavily on the compromise of vulnerable WordPress environments. Once an attacker gains accessoften through outdated plugins, weak credentials, or unpatched themesthey inject obfuscated JavaScript code directly into the site's header or footer files. This script acts as a silent loader, lying dormant until a visitor lands on the compromised page. Unlike aggressive defacements, this technique keeps the website looking normal, allowing the malware to spread for longer periods without detection.

Upon execution, the malicious JavaScript profiles the visitor's browser and operating system. If the target meets specific criteria, the script triggers a download or redirection sequence. The primary payload is often disguised as a legitimate browser update or a necessary software component, tricking the user into manually executing the file. This initial foothold is critical, as it paves the way for the deployment of the NetSupport RAT, a legitimate remote administration tool that has been weaponized by hackers to gain full control over the victim's machine.

The danger of the GrayCharlie campaign lies in its multi-stage payload delivery. The most prominent tool in their arsenal is the NetSupport RAT (Remote Access Trojan). Originally designed as a legitimate tech support tool, NetSupport Manager is frequently abused by threat actors because its digital signature often allows it to bypass antivirus detection. Once installed, it grants the attacker complete remote control, enabling them to execute commands, transfer files, and monitor user activity in real-time.

Following the initial compromise, the attackers often deploy secondary payloads like Stealc and SectopRAT. Stealc is a highly aggressive information stealer designed to exfiltrate sensitive data such as saved browser passwords, cryptocurrency wallet keys, and session cookies. This data is immediately sent back to the attacker's Command and Control (C2) servers. SectopRAT serves as a secondary persistence mechanism, ensuring that even if the primary RAT is detected and removed, the attackers maintain a backdoor into the infected system. This layered approach maximizes the potential damage, turning a single click into a full-scale system breach.

Understanding the specific capabilities of the malware deployed by GrayCharlie is essential for incident response and threat mitigation.

For website administrators and security professionals, mitigating the GrayCharlie threat requires a proactive stance on CMS security. The first line of defense is rigorous patch management; ensuring that the WordPress core, themes, and plugins are always up to date closes the most common entry points. Additionally, implementing a Web Application Firewall (WAF) can help detect and block the initial injection attempts or the execution of malicious JavaScript.

File integrity monitoring is another crucial layer of defense. Security plugins that alert administrators to unauthorized changes in core files (such as header.php or footer.php) can reveal an infection before it spreads to visitors. For end-users, the defense relies on skepticism: unexpected prompts to update browsers or install "missing" components while visiting standard websites should always be treated as suspicious. Organizations should also configure their endpoint protection systems to flag the unauthorized presence of remote admin tools like NetSupport Manager.

How does GrayCharlie infect WordPress sites?
GrayCharlie typically exploits vulnerabilities in outdated plugins, themes, or weak administrative passwords to inject malicious JavaScript code into the website's files.

What is NetSupport RAT?
NetSupport RAT is a malicious use of the legitimate NetSupport Manager software. Hackers use it to gain unauthorized remote control over a victim's computer to steal data or install more malware.

How can I tell if my browser is targeted by Stealc?
Stealc operates silently to steal data. Signs of infection include unexpected account lockouts, unauthorized transactions, or sluggish system performance due to background data exfiltration processes.

The GrayCharlie campaign is a stark reminder that the distinction between "legitimate software" and "malware" is increasingly blurred. By weaponizing tools like NetSupport Manager, attackers are effectively living off the land, using trusted binaries to evade detection. For the cybersecurity industry, this necessitates a shift from signature-based detection to behavioral analysis. We can no longer trust a file simply because it has a valid digital signature; we must scrutinize how it is being used. WordPress admins must treat their sites not just as publishing platforms, but as potential infrastructure for cybercrime, requiring enterprise-grade security hygiene regardless of the site's size.