RST TI Report Digest: 23 Feb 2026

Recorded Future describes GrayCharlie, an active threat actor since mid-2023 that compromises WordPress sites to inject malicious JavaScript which redirects visitors to download the NetSupport Remote Access Trojan via deceptive browser-update and ClickFix-style lures; the campaign disproportionately targets U.S. law firm websites, uses complex infrastructure (MivoCloud, HZ Hosting), and provides extensive IOCs (many IPs, domains, URLs, and SHA-256 hashes) indicating an ongoing supply-chain style threat to the legal sector.