GrayCharlie
Threat actor tracked by Recorded Future. Further details pending analysis.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
6 mentions · 1 source"sustained and widespread use of traffic distribution systems (TDS), including activity by TAG-124, GrayCharlie, and other threat actors"
"GrayCharlie is Insikt Group's designation for a threat activity group that first appeared in mid-2023 and is behind SmartApeSG, also referred to as ZPHP or HANEYMANEY."
"Insikt Group identified two main NetSupport RAT clusters linked to GrayCharlie based on factors such as TLS certificates, NetSupport serial numbers and license keys, and the timing of the activity"
"Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider."
"Insikt Group assesses that these clusters may correspond either to different individuals associated with GrayCharlie or to distinct GrayCharlie campaigns."
"Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023"
Hedge terms observed