Pulse Detail — Threat Intelligence

PULSE NAME

GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT.

WHITE PetrP.73 2025-06-15 Modified: 2025-07-15

381

IOCs

HIGH VOLUME

Insikt Group has uncovered new infrastructure and malware associated with GrayAlpha, a cyber threat actor with ties to the financially motivated group FIN7. Specifically, three primary infection vectors have been identified: fake browser updates, malicious 7-Zip download pages, and a traffic distribution system (TDS) known as TAG-124, which had not been linked to GrayAlpha previously. The threat actor employs a new PowerShell loader called PowerNet and an obfuscated variant of FakeBat dubbed MaskBat, both of which facilitate the delivery of the NetSupport Remote Access Trojan (RAT)..

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1036 T1053 T1059 T1071 T1082 T1140 T1203 T1204 T1497 T1518 T1566 T1583

Indicators of Compromise (8 / 381 total)

All CIDR FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://31.boo/73689d8a-25b	—	2025-06-15
URL	http://85.209.134.0	—	2025-06-15
URL	http://85.209.134.255	—	2025-06-15
URL	https://cdn40.click/9e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-	—	2025-06-15
URL	https://cdn40.click/9e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95'	—	2025-06-15
URL	https://ib.systems/range.csv	—	2025-06-15
URL	https://monkeybeta.com/crypt/Package.tar.gpg	—	2025-06-15
URL	https://utr-jopass.com/index.php?utm_content=$encryptedString	—	2025-06-15

References (1)

↗ https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf