Recorded Future says a threat cluster it tracks as GrayCharlie compromised WordPress websites belonging to law firms and turned them into malware delivery points, using fake browser update pages and ClickFix-style prompts to infect visitors. The campaign delivered NetSupport RAT, the Stealc infostealer, and SectopRAT, according to the company’s Insikt Group.
The report describes a supply-chain-like attack pattern: instead of targeting victims directly, the actor appears to abuse trusted third-party sites to host or redirect users to malicious content. In this case, law firm domains gave the lures extra credibility. Visitors were reportedly shown bogus browser update messages or instructions designed to get them to run commands or download files, a social engineering technique widely known as ClickFix.
The malware mix gives attackers both immediate access and monetizable data. NetSupport RAT, a legitimate remote administration tool often repurposed by cybercriminals, can provide persistent remote control. Stealc is built to harvest browser credentials, cookies, and wallet data. SectopRAT adds another remote access option for follow-on activity. Recorded Future did not tie the campaign to a specific CVE, suggesting the initial website compromises may have involved common WordPress weaknesses such as outdated plugins, weak credentials, or administrative account takeover rather than a single disclosed flaw.
The impact could extend beyond the compromised firms. Anyone visiting an infected site may be exposed to malware, while the affected law firms face reputational damage and possible client trust issues. The legal sector is a particularly sensitive target because firm websites and systems are closely tied to confidential communications and high-value business matters.
For defenders, the campaign is another reminder that trusted websites can become malware infrastructure. Organizations running WordPress should review plugins and themes, enforce multifactor authentication for admins, and monitor for injected scripts or unusual redirects. End users should be wary of update prompts delivered through websites and avoid any page that asks them to paste commands into their system. Using a reputable VPN will not stop this type of social engineering on its own, but layered protections can help reduce exposure.
Sources: Recorded Future Insikt Group; BleepingComputer background reporting on ClickFix and fake update malware chains.
