{ "id": "52880a32-59f5-4e6d-9aca-62c480c7cf58", "created_at": "2026-04-06T00:15:34.596542Z", "updated_at": "2026-04-10T13:11:20.163687Z", "deleted_at": null, "sha1_hash": "045fd4223e4ea74fc65300aa8e0e7d48178d38d9", "title": "CastleLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2119552, "plain_text": "CastleLoader\r\nBy The Hivemind\r\nArchived: 2026-04-05 21:44:17 UTC\r\nVerticals Targeted: Government\r\nRegions Targeted: US\r\nRelated Families: StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, SectopRAT\r\nExecutive Summary\r\nCastleLoader, a versatile malware loader, has infected 469 devices since May 2025, leveraging Cloudflare-themed\r\nClickFix phishing and fake GitHub repositories to deliver information stealers and RATs. Its sophisticated attack\r\nchain, high infection rate, and modular design make it a significant threat to organizations, particularly U.S.\r\ngovernment entities.Key Takeaways\r\nCastleLoader employs ClickFix phishing and fake GitHub repositories to trick users into executing\r\nmalicious PowerShell commands.\r\nThe malware has a 28.7% infection rate, compromising 469 devices out of 1,634 attempts since May 2025.\r\nIt delivers multiple payloads, including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, and\r\nSectopRAT.\r\nU.S. government entities are among the critical victims targeted by CastleLoader campaigns.\r\nhttps://blog.polyswarm.io/castleloader\r\nPage 1 of 3\n\nWhat is CastleLoader?\r\nSince its emergence in early 2025, CastleLoader has established itself as a formidable malware loader,\r\norchestrating the delivery of information stealers and remote access trojans (RATs) through advanced phishing\r\ntactics and deceptive GitHub repositories. Cybersecurity researchers at PRODAFT have tracked its campaigns,\r\nwhich have infected 469 devices out of 1,634 attempts since May 2025, yielding a 28.7% infection rate. This high\r\nsuccess rate underscores the malware’s effectiveness in exploiting human behavior and trusted platforms, with a\r\nnotable impact on U.S. government entities.\r\nCastleLoader’s primary infection vector is the ClickFix phishing technique, often themed around Cloudflare\r\nservices. Victims are lured to fraudulent domains mimicking software development libraries, online meeting\r\nplatforms like Google Meet, or browser update notifications. These pages display fake error messages or\r\nCAPTCHA prompts, tricking users into copying and executing malicious PowerShell commands via the Windows\r\nRun prompt. This method bypasses traditional email-based security by exploiting user-initiated actions.\r\nAlternatively, CastleLoader leverages fake GitHub repositories, such as one disguised as SQL Server Management\r\nStudio (SSMS-lib), to distribute malicious installers. These repositories exploit developers’ trust in GitHub,\r\nprompting them to run seemingly legitimate software that connects to a command-and-control (C2) server. The\r\nloader’s modular design allows it to deploy a range of secondary payloads, including StealC, RedLine,\r\nDeerStealer, NetSupport RAT, SectopRAT, and HijackLoader, depending on the campaign’s objectives. StealC,\r\nRedLine, and DeerStealer focus on harvesting credentials, browser data, and cryptocurrency wallets, while\r\nNetSupport RAT and SectopRAT provide backdoor access for persistent control. HijackLoader, another loader,\r\nfurther extends the attack chain, amplifying CastleLoader’s versatility.\r\nThe malware’s technical sophistication is evident in its use of PowerShell and AutoIT scripts. After initial\r\nexecution, the AutoIT script loads shellcode into memory as a DLL, resolving hashed DLL names and APIs to\r\nconnect to one of seven distinct C2 servers. These servers, managed via a web-based panel, provide operators with\r\ndetailed telemetry, including victim identifiers, IP addresses, and system details. The panel’s Delivery module\r\nstores payloads with metadata, while the Tasks module enables precise control over distribution, supporting\r\ngeographic targeting and encrypted Docker containers. Campaigns can enforce administrative privileges, anti-VM\r\ndetection, and fake error displays to evade detection.\r\nCastleLoader’s overlap with DeerStealer campaigns, where both distribute HijackLoader, suggests coordinated\r\nefforts among threat actors. Network communications further complicate attribution, as payloads are retrieved\r\nfrom legitimate file-sharing services and compromised websites. This distributed approach enhances resilience\r\nagainst takedowns. With over 400 critical victims, including government entities, CastleLoader’s impact is\r\nsignificant. PolySwarm analysts consider CastleLoader to be an emerging threat. \r\nIOCs\r\nPolySwarm has a sample of CastleLoader.\r\n05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8\r\nYou can use the following CLI command to search for all CastleLoader samples in our portal:\r\nhttps://blog.polyswarm.io/castleloader\r\nPage 2 of 3\n\n$ polyswarm link list -f CastleLoader\r\nDon’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.\r\nContact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.\r\nTopics: Threat Bulletin, Phishing, Redline, Emerging Threat, PowerShell, StealC, ClickFix, CastleLoader,\r\nGitHub, DeerStealer, malware loader, NetSupport RAT\r\nSource: https://blog.polyswarm.io/castleloader\r\nhttps://blog.polyswarm.io/castleloader\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.polyswarm.io/castleloader" ], "report_names": [ "castleloader" ], "threat_actors": [], "ts_created_at": 1775434534, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/045fd4223e4ea74fc65300aa8e0e7d48178d38d9.pdf", "text": "https://archive.orkl.eu/045fd4223e4ea74fc65300aa8e0e7d48178d38d9.txt", "img": "https://archive.orkl.eu/045fd4223e4ea74fc65300aa8e0e7d48178d38d9.jpg" } }