Security researchers from Insikt Group have identified new infrastructure and attack methodologies attributed to GrayAlpha, a threat actor with strong overlaps with the notorious FIN7 group.
The latest campaigns reveal that GrayAlpha is actively deploying fake browser update sites and other deceptive download vectors to deliver custom malware loaders including a newly discovered PowerNet loader and ultimately install the NetSupport Remote Access Trojan (RAT) on victims’ systems.
Technical Overview
GrayAlpha’s recent operations are marked by three primary infection vectors: fake browser update pages, counterfeit 7-Zip software download sites, and a previously undocumented traffic distribution system (TDS) known as TAG-124.
These infection vectors are supported by an array of newly registered domains and bulletproof hosting infrastructure, with malicious sites often masquerading as legitimate services such as Google Meet, SAP Concur, LexisNexis, CNN, and others.
The attack chain typically begins when a user lands on a spoofed site, triggered either by malvertising or social engineering.
According to Insikt Group Report, these sites fingerprint the target system using JavaScript and prompt the user to download a fraudulent browser update or software installer.
The payload is delivered via endpoints such as /download.php or product-specific download links, with C2 communications routed through CDN-themed domains.
Once executed, the initial payload acts as a loader most notably, a custom PowerShell-based loader dubbed PowerNet.
This loader decompresses and runs an instance of NetSupport RAT in memory, granting attackers persistent remote access, lateral movement capability, and the ability to exfiltrate sensitive data.
Researchers also identified another loader, MaskBat, a heavily obfuscated script similar to FakeBat but with strings and characteristics tying it directly to GrayAlpha.
Both loaders are executed via malicious PowerShell scripts, highlighting the threat actor’s preference for fileless, memory-resident attack techniques that complicate endpoint detection and response.
Infrastructure and Attribution
Investigations traced most of the malicious domains to bulletproof hosting networks, notably AS44477 and AS41745, widely recognized for facilitating cybercriminal activity.
The hosting is operated by entities such as Stark Industries Solutions and “Baykov Ilya Sergeevich,” the latter closely tied to the “hip-hosting” ISP, which has previously been linked with FIN7’s malware campaigns like POWERTRASH and DiceLoader.
Insikt Group’s analysis, supported by domain registration records and infrastructure overlaps, strengthens the attribution of these campaigns to GrayAlpha and, by extension, to the broader FIN7 criminal ecosystem.
FIN7 is known for its sophisticated operational structure, with specialized teams for malware development, phishing, money laundering, and management.
The group’s focus remains financially motivated intrusions into retail, hospitality, and financial services, often leveraging social engineering and custom implants to compromise enterprise systems.
While all three infection vectors were observed in concurrent use during the campaign, only the fake 7-Zip download sites remained active as of April 2025, according to researchers.
The continuous registration of new domains and the use of advanced hosting services underscore the rapidly evolving threat landscape.
To counter these threats, organizations are urged to implement robust application allow-lists to prevent unauthorized software downloads, alongside enhanced security awareness training to help employees identify suspicious update prompts and malvertising redirects.
Advanced detection rules including regularly updated YARA signatures and network monitoring are essential for identifying both current and historical infections, especially given the adaptive tactics of threat actors like GrayAlpha.
The findings reflect a broader trend of professionalization and specialization within the cybercriminal ecosystem, where groups like GrayAlpha/FIN7 deploy persistent and innovative attack techniques rivaling those of advanced persistent threat (APT) actors.
As cybercrime continues to evolve, so must organizational defenses, with a focus on proactive monitoring, layered security controls, and information sharing across the cybersecurity community.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
