.png)
3 days ago
1
GrayAlpha, a cybercrime group linked to the threat actor tracked as FIN7, is running sites impersonating 7-Zip and other legitimate software to spread the NetSupport remote access trojan (RAT), Recorded Future’s Insikt Group revealed in a report Friday.
Three distinct infection vectors and two custom loaders were identified in the report, as well as the use of bulletproof hosting services by the GrayAlpha cluster.
The first infection vector, fake software updates, involves the distribution of fake software updates for legitimate software including Google Meet, LexisNexis, Asana, AIMP, SAP Concur and Advanced IP Scanner. GrayAlpha has also used websites impersonating CNN and The Wall Street Journal for this campaign, which was observed starting in April 2024.
The fake websites share a common host fingerprinting script and are mostly hosted via the bulletproof hosting service known as Stark Industries Solutions, which has previously been used by FIN7. FIN7 has also used fake Advanced IP Scanner downloads as a social engineering lure in the past, marking further overlap with the GrayAlpha cluster.
The domains hosting fake software updates were used by GrayAlpha to distribute a new version of the FakeBat loader known as MaskBat, which differs from FakeBat through its use of unique obfuscation. FakeBat was used to deliver the final NetSupport RAT payload.
The second infection vector, fake 7-Zip downloads, leveraged domains using the same fingerprinting script as the other fake software websites, and distributed the custom PowerNet loader. PowerNet checks whether the host is part of an enterprise domain before execution, terminating if the check fails.
Insikt Group noted five different variants of PowerNet used in these campaigns, some of which lack an enterprise domain check and some that redirect to a URL rather than extracting the final payload directly from the MSIX package. Also notable was the fact that the code segment that performs the domain check is also found in Usradm Loader, which is used by another FIN7-linked group called WaterSeed.
The 7-Zip campaign has also been active since April 2024 and was the only attack vector still active at the time Insikt Group authored its report, with the most recent domain being registered in April 2025.
The third attack vector was the TAG-124 traffic distribution system (TDS), a network of compromised WordPress sites that spread malware via fake browser updates and the ClickFix technique. This campaign, which began in August 2024, was noted by Insikt Group to be the first known use of TAG-124 by the GrayAlpha cluster, and was used to deploy the PowerNet loader.
All three vectors were used to deploy NetSupport RAT, which has also been used by FIN7. All of the NetSupport RAT samples used by GrayAlpha were tied to one of two license IDs associated with NetSupport RAT samples previously used by FIN7.
Insikt Group recommends several mitigations for organizations to defend themselves against GrayAlpha and FIN7 attacks, including threat landscape monitoring, access controls following the principle of least privilege and minimization of sensitive data storage in case of a breach. Defenders can use such threat intelligence, including the indicators of compromise (IoCs) included in the report, to detect malicious activity related to GrayAlpha.
FIN7 is a financially-motivated advanced persistent threat (APT) group that has been active since 2013. It is known for its payment card theft campaigns as well as intrusions into corporate networks mainly targeting the retail, hospitality and finance industries. The group leverages a wide range of tools and malware and has also involved itself in the ransomware-as-a-service (RaaS) ecosystem.
Earlier this year, FIN7 launched malspam campaigns delivering a Python-based backdoor called Anubis via malicious ZIP files hosted on compromised SharePoint sites.
