![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
![[DEALS] Internxt Cloud Storage Lifetime Subscription: 10TB Plan (87% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Designing a Robust Modular Hardware-Oriented Application in C++ [closed]](https://i.sstatic.net/f2sQd76t.webp)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_designer491_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![iPad Air vs reMarkable Paper Pro: Which tablet is best for note taking? [Updated]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/ipad-air-remarkable-paper-pro.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![What Gemini app features are free versus paid? [June 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/gemini-android-5.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple M4 Mac Mini Back on Sale for $499 [Deal]](https://www.iclarified.com/images/news/97617/97617/97617-640.jpg)
GrayAlpha Hacker Group Weaponizes Browser Updates to Deploy PowerNet Loader and NetSupport RAT
Cybersecurity researchers have uncovered a sophisticated campaign by the GrayAlpha threat actor group that leverages fake browser update pages to deploy advanced malware, including a newly identified custom PowerShell loader dubbed PowerNet. The operation, which has been active since at least April 2024, represents a significant evolution in the group’s tactics, demonstrating their ability to […] The post GrayAlpha Hacker Group Weaponizes Browser Updates to Deploy PowerNet Loader and NetSupport RAT appeared first on Cyber Security News.
Cybersecurity researchers have uncovered a sophisticated campaign by the GrayAlpha threat actor group that leverages fake browser update pages to deploy advanced malware, including a newly identified custom PowerShell loader dubbed PowerNet.
The operation, which has been active since at least April 2024, represents a significant evolution in the group’s tactics, demonstrating their ability to weaponize seemingly legitimate software update mechanisms to compromise victims across multiple industries.
The campaign employs three distinct infection vectors, with fake browser updates serving as the primary delivery mechanism alongside malicious 7-Zip download sites and the previously undocumented TAG-124 traffic distribution system.
These sophisticated attack chains ultimately culminate in the deployment of NetSupport RAT, a remote access trojan that provides attackers with comprehensive system control over infected machines.
The threat actors have demonstrated remarkable persistence, with newly registered domains appearing as recently as April 2025, indicating ongoing active operations.
Recorded Future analysts identified new infrastructure associated with GrayAlpha, revealing the group’s overlap with the financially motivated cybercriminal organization commonly known as FIN7.
This connection is particularly significant given FIN7‘s established reputation as one of the most prolific and technically sophisticated cybercriminal groups, with operations dating back to 2013 and a documented history of targeting organizations across 47 US states and multiple countries.
The fake browser update infrastructure comprises an extensive network of domains designed to impersonate legitimate products and services, including Google Meet, LexisNexis, Asana, SAP Concur, and Advanced IP Scanner.
These deceptive sites employ sophisticated fingerprinting techniques, utilizing JavaScript functions such as getIPAddress() and trackPageOpen() to profile victim systems before delivering malicious payloads.
The threat actors have demonstrated considerable operational security awareness, hosting their infrastructure primarily through bulletproof hosting providers, with the majority of domains resolving to infrastructure operated by Stark Industries Solutions.
The PowerNet loader represents a significant technical advancement in GrayAlpha’s arsenal, functioning as a custom PowerShell-based tool that decompresses and executes NetSupport RAT payloads.
This loader works in conjunction with MaskBat, another custom loader that shares similarities with the known FakeBat malware but incorporates enhanced obfuscation techniques and strings specifically linked to GrayAlpha operations.
Infection Mechanism
The browser update infection vector demonstrates sophisticated social engineering combined with technical precision. When victims visit compromised or malicious websites, they are redirected to fake update pages that closely mimic legitimate software update interfaces.
.webp)
These pages employ advanced fingerprinting scripts that collect detailed system information before determining whether to serve malicious content.
The fingerprinting process typically involves sending POST requests to content delivery network-themed domains, such as cdn40[.]click, which follow a consistent naming pattern beginning with “cdn” followed by random numbers and various top-level domains.
Once the system fingerprinting is complete and the victim is deemed suitable for infection, the malicious payload is delivered through specific endpoints, most commonly /download.php, though variations include /download/download.php and product-specific paths designed to enhance the appearance of legitimacy.
The PowerNet loader then initiates its decompression and execution sequence, establishing persistence on the target system while preparing to deploy the NetSupport RAT payload.
This multi-stage approach allows the threat actors to maintain operational flexibility while minimizing detection by security solutions, as evidenced by the campaign’s sustained activity over more than a year-long period.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post GrayAlpha Hacker Group Weaponizes Browser Updates to Deploy PowerNet Loader and NetSupport RAT appeared first on Cyber Security News.
.webp?#)
