GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack

Recorded Future/Insikt Group details operations attributed to GrayCharlie (overlapping SmartApeSG), which compromises WordPress sites to inject JavaScript that redirects visitors to NetSupport RAT delivered via fake browser updates or ClickFix lures; follow-on payloads have included Stealc and SectopRAT. The report maps multiple C2 clusters and staging infrastructures (notably hosted on MivoCloud and HZ Hosting Ltd), provides extensive IoCs (IP addresses, domains, file hashes, email), describes two primary attack chains and observed operator behavior, and recommends blocking indicators, deploying detection rules (YARA/Snort/Sigma), and monitoring for exfiltration and ongoing activity.