Defenders have identified a highly sophisticated campaign orchestrated by the GrayAlpha threat actors. In this campaign, hackers employ fake browser updates and other infection vectors to deliver advanced malicious strains, a newly discovered custom PowerShell loader dubbed PowerNet, and NetSupport RAT. Notably, adversaries behind this campaign are linked to the nefarious, financially motivated group widely recognized as FIN7.
Detect Malicious Activity Associated With GrayAlpha Operation
Cybercrime is projected to cost the world $10.5 trillion annually by 2025, driven by increasingly sophisticated financially motivated attacks. As digital threats grow more complex, financially driven groups like FIN7 remain active, despite claims of their dissolution in 2023. In fact, recently, security researchers uncovered a sophisticated campaign by a new threat group, GrayAlpha. It shows significant overlap with the infamous FIN7, signaling the evolution—not disappearance—of one of the most prolific cybercrime actors in the past decade.
Register for SOC Prime Platform to obtain a curated set of Sigma rules to detect malicious activity associated with GrayAlpha backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just hit the Explore Detections button below and immediately drill down to a relevant detection stack.
Cyber defenders seeking more relevant content to detect cyber-attacks linked to the FIN7 group might access the entire сollection of relevant detection algorithms by searching the Threat Detection Marketplace with the “FIN7” tag.
All the rules are compatible with multiple SIEM, EDR, and Data Lake technologies, and mapped to MITRE ATT&CK® to streamline threat investigation. Additionally, each rule is enriched with extensive metadata, including CTI references, attack timelines, audit configurations, triage recommendations, and more.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs from the dedicated Recorded Future report into actionable hunting queries, enabling efficient investigation of GrayAlpha activity. Additionally, Uncoder supports crafting detection logic from raw threat reports, ATT&CK tags prediction, AI-driven query optimization, and detection content translation across multiple platforms.
GrayAlpha Operation Analysis
Recorded Future’s Insikt Group uncovered a new advanced offensive campaign linked to GrayAlpha, a hacking group with ties to the notorious financially motivated FIN7 group. The adversary infrastructure includes recently registered domains used for payload delivery and additional IP addresses linked to the malicious campaign. Researchers have discovered a new custom PowerShell loader named PowerNet, designed to decompress and execute the NetSupport RAT, as well as another loader named MaskBat, an obfuscated variant sharing similarities with FakeBat, which contains artifacts associated with GrayAlpha.
The investigation revealed three primary infection methods: deceptive browser update prompts, fake 7-Zip download websites, and a traffic distribution system (TDS) identified as TAG-124, whose use had not been publicly reported before. Although all three infection vectors were observed concurrently, only the fake 7-Zip sites remained active at the time of analysis, with new domains registered as recently as April 2025. Notably, further scrutiny of these domains led to the identification of an individual potentially linked to the GrayAlpha operation.
GrayAlpha is a hacking gang closely linked to the the russia-backed FIN7, a prolific and technically advanced cybercriminal organization active since at least 2013. FIN7 operates like a professional enterprise, with dedicated teams for malware development, phishing, and money laundering, primarily targeting the retail, hospitality, and financial sectors to steal payment data and access corporate networks.
Over time, FIN7 expanded into ransomware, partnering with groups like REvil and Maze and running its own operations such as Darkside and BlackMatter. In mid-summer of 2024, the FIN7 hacking collective used weaponized Google Ads while spoofing popular brands to deliver NetSupport RAT via MSIX payloads, highlighting the group’s ongoing adaptability and persistence in the cybercrime landscape.
Over the past year, researchers tracked three main infection vectors used by GrayAlpha to deliver NetSupport RAT: fake software update pages, malicious 7-Zip download sites, and the TAG-124 traffic distribution system (TDS). These campaigns leveraged PowerNet and MaskBat PowerShell-based loaders.
As for the first attack vector, GrayAlpha has been running fake browser update sites since at least April 2024, impersonating brands like Google Meet, SAP Concur, CNN, and others. These sites commonly include scripts for fingerprinting victim devices, such as getIPAddress() and trackPageOpen(), and deliver payloads via endpoints like /download.php or its variants. Some campaigns even leveraged compromised or arbitrarily named domains, often tied to suspicious email accounts and hosted on shared malicious infrastructure.
The second infection vector involved fake 7-Zip download sites, which used the same host fingerprinting scripts as other spoofed software pages and delivered the custom PowerNet loader. PowerNet typically verifies if the target machine belongs to an enterprise domain before proceeding, halting execution if the check fails. Defenders identified five PowerNet variants, some of which bypass the domain check, while others retrieve the payload from a remote URL instead of the MSIX package. Notably, the enterprise check code also appears in the Usradm Loader, a tool linked to the FIN7-affiliated WaterSeed group.
Active since April 2024, the 7-Zip campaign was the only vector still in use when Insikt Group published its findings, with the latest domain registered in April 2025.
The third attack vector relied on the TAG-124 TDS, a network of compromised WordPress sites that distribute malware through fake browser update pages and the ClickFix tactic. First seen in August 2024, this marked GrayAlpha’s initial use of TAG-124 and was also used to deploy PowerNet.
All three attack methods ultimately led to infections with NetSupport RAT, which shares licensing identifiers with samples previously attributed to FIN7, reinforcing the link between GrayAlpha and the nefarious cybercriminal group.
As potential mitigation steps to reduce the risks of GrayAlpha attacks, defenders recommend closely monitoring the threat landscape, enforcing strict access controls based on the principle of least privilege, and limiting the storage of sensitive data to minimize impact in the event of a breach. Although APT campaigns are typically associated with nation-backed threat actors, GrayAlpha illustrates that financially motivated cybercriminals can exhibit comparable levels of persistence. As offensive operations grow more specialized and collaborative while mirroring the structure of RaaS, organizations should adopt a flexible, all-encompassing cybersecurity strategy to stay ahead of evolving threats. SOC Prime Platform equips security teams with a complete enterprise-ready product suite powered by the fusion of AI, automation capabilities, and real-time threat intel to enable progressive organizations to preempt sophisticated attacks and minimize the risks of data breaches.
The post GrayAlpha Operation Detection: The Fin7-Affiliated Group Spreads PowerNet Loader, NetSupport RAT, and MaskBat Loader appeared first on SOC Prime.
