Security researchers have uncovered a wave of attacks orchestrated by GrayAlpha, a cybercriminal operation linked to the FIN7 group, exploiting cloned browser update pages to install a custom PowerShell loader dubbed PowerNet and ultimately deliver NetSupport RAT malware. Infrastructure analysis confirms the use of fake browser-updates, counterfeit 7‑Zip download sites, and a previously unreported Traffic Distribution System called TAG‑124 as delivery mechanisms.
The initial compromise begins when victims visit compromised sites or encounter malvertising and are redirected to fabricated update pages mimicking legitimate services like Google Meet, SAP Concur, LexisNexis and Advanced IP Scanner. Sophisticated JavaScript fingerprinting scripts capture system details before transitioning users to download payloads via URLs such as /download.php. These downloads deploy PowerNet—a custom PowerShell loader designed to unpack and execute NetSupport RAT in memory.
Recorded Future’s Insikt Group analysis traced overlapping infection paths active since April 2024. While each vector—fake updates, counterfeit 7‑Zip sites, and TAG‑124 TDS—was employed in tandem, only the bogus 7‑Zip pages remained active by mid‑June 2025, with new domains registered as recently as April 2025. The study also cites “MaskBat,” a second custom loader resembling FakeBat malware that carries GrayAlpha-specific code strings.
The investigation highlights the group’s use of bullet‑proof hosting services, primarily Stark Industries Solutions, with additional infrastructure through HIVELOCITY and HIP‑hosting. These muddy their digital footprint while evading takedown attempts. The misuse of TAG‑124 TDS is particularly notable, marking its first known public disclosure and demonstrating growing sophistication in chaining infection methods.
Analysts caution that these tactics emulate FIN7’s modus operandi—highly targeted, multi-stage campaigns with advanced tooling. FIN7 has conducted cybercrime operations since at least 2013, notably targeting retail, hospitality and finance sectors. It remains structured like a corporate entity, employing specialised teams for malware creation, phishing, money laundering and logistics.
In light of these threats, cybersecurity experts recommend stringent application allow‑listing, enhanced employee training to spot deceptive update prompts or malvertising, and deployment of YARA rules and network intel indicators capable of identifying PowerNet, MaskBat and NetSupport RAT activity. Organisations are also urged to actively monitor web infrastructure and domain registrations linked to TDS TAG‑124 campaigns.
This campaign underscores a growing trend among financially motivated cyber actors: increasingly professional operations employing deceptive surface-level strategies to deliver heavyweight payloads. While infection surface varies—browser updates, download portals or redirect chains—the end goal remains consistent: persistence via NetSupport RAT, enabling remote access, surveillance, and data exfiltration.
