{
	"id": "d4c6989e-288c-4790-a35c-d1a4c409b685",
	"created_at": "2026-04-06T00:16:34.277854Z",
	"updated_at": "2026-04-12T02:21:16.621496Z",
	"deleted_at": null,
	"sha1_hash": "2a38cc6d2a5c5fbf3d74592a5fe9a1865d96b97b",
	"title": "Dissecting the CastleBot Malware-as-a-Service operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2994010,
	"plain_text": "Dissecting the CastleBot Malware-as-a-Service operation\r\nBy Golo Mühr\r\nPublished: 2025-08-06 · Archived: 2026-04-05 19:59:36 UTC\r\nIBM X-Force has been investigating a newly emerging malware framework named CastleBot. The malware is believed to be\r\npart of a Malware-as-a-Service (MaaS) operation and is specifically designed for flexible malware deployment. CastleBot is\r\ncurrently used by cyber criminals to deliver everything from infostealers to backdoors like NetSupport and WarmCookie,\r\nwhich have been linked to ransomware attacks.\r\nWhat makes CastleBot particularly concerning is how it's being distributed: most often through trojanized software installers\r\ndownloaded from fake websites, luring unsuspecting users into launching the infection themselves. This technique is part of\r\na growing trend X-Force is observing. It is often enabled through SEO poisoning, which causes malicious pages to rank\r\nhigher in search engines than legitimate software distributors. Once inside, CastleBot runs through a three-stage process: a\r\nstager/downloader, a loader and a core backdoor, which requests a set of tasks from its command and control (C2) server.\r\nInformation gathered from the infected machine allows operators to easily filter victims, manage ongoing infections and\r\ndeploy malware to high-value targets with precision.\r\nCastleBot is still evolving, and our research shows it's likely just getting started. In this report, we break down how it works,\r\nhow it spreads, and why it matters.\r\nKey findings:\r\nCastleBot is a new malware likely operated as a Malware-as-a-Service, which can be used to deliver a wide range of\r\nmalicious payloads\r\nFollow-on payloads range from infostealers to backdoors linked to ransomware attacks, such as NetSupport and\r\nWarmCookie\r\nX-Force observed trojanized software installers as the most common infection vector to deliver CastleBot\r\nThe CastleBot framework encompasses three components: a stager, loader and a core and appears to be under active\r\ndevelopment\r\nThe malware seems to allow operators to easily filter victims, update payloads and manage multiple campaigns\r\nthroughout their lifecycle\r\nOverview\r\nCastleBot first appeared in early 2025. X-Force noted an increase in the volume of samples and different payloads starting in\r\nMay, and has since observed the deployment of various backdoor and infostealer payloads. CastleBot's most common\r\ninfection vector is trojanized software, which is part of a trend X-Force continues to observe since 2024. Trojanized software\r\npackages and installers are often distributed via fake websites using SEO poisoning to attract victims. CastleBot was also\r\ndistributed through GitHub repositories, impersonating legitimate software, and via the popular ClickFix technique.\r\nX-Force identified three components as part of the CastleBot malware framework: a stager, a loader and the CastleBot\r\ncore/backdoor.\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 1 of 24\n\nFig. 1: CastleBot infection chain\r\nNote that previous public reporting by Prodraft refers to the same malware framework as \"CastleLoader\".\r\nCastleBot stager\r\nIn most cases, the CastleBot core component is deployed via a shellcode stager, which is part of the same CastleBot\r\nmalware family. The stager is a lightweight shellcode payload that can be injected by any other first-stage loader. X-Force\r\nobserved various crypters used with CastleBot, including Dave, an AutoIt-based crypter, and simple crypters compiled in C.\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 2 of 24\n\nThe malware uses the DJB2 hashing algorithm to resolve necessary APIs at runtime. Before every API call, it loads the\r\ncorresponding DLL and traverses the Export Address Table (EAT) searching for the API function via pre-generated DJB2\r\nhashes. Should the export be forwarded to another DLL, the stager parses the DLL name, loads it and resolves the function\r\nvia GetProcAddress.\r\nUpon execution, the stager downloads two payloads via HTTP with the User Agent \"Googlebot\". The URL paths are similar\r\nbetween samples and address the same C2 server as the CastleBot core component.\r\nExample download URLs:\r\nhttp://173.44.141[.]89/service/download/data_3x.bin\r\nhttp://173.44.141[.]89/service/download/data_4x.bin\r\nFig. 2: Screenshot of decompiled CastleBot stager\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 3 of 24\n\nBoth payloads are decrypted via a hardcoded XOR string, in this case \"GySDoSGySDoS\" (UTF-16 encoded), revealing a\r\nPE (CastleBot core) and a shellcode stub (CastleBot Loader).\r\nThe stager then uses VirtualProtect to enable execution on the heap for the memory region storing the second decrypted\r\nshellcode payload. The latter, acting as a loader, is executed directly in memory and receives a pointer to the decrypted PE as\r\nan argument.\r\nCastleBot loader\r\nThe CastleBot Loader is a fully-featured PE loader, which begins by mapping each section of the provided PE into a new\r\nmemory region allocated using NtAllocateVirtualMemory. It goes on to fix any necessary relocations, resolve imports, set\r\nthe appropriate memory protection options and execute existing TLS callback functions.\r\nNotably, the loader also sets up a new LDR_DATA_TABLE_ENTRY structure and the corresponding LDR_DDAG_NODE\r\n(extended in Windows 8 and later), which are then added into the PEB_LDR_DATA doubly linked lists containing the\r\nloaded modules for each process. To EDR agents monitoring the PEB, this would make the injected payload appear more as\r\nthough it was legitimately loaded by the operating system.\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 4 of 24\n\nFig. 3: CastleBot Loader setting up LDR_DATA_TABLE_ENTRY and LDR_DDAG_NODE structures and inserting into\r\nPEB_LDR_DATA module lists\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 5 of 24\n\nUnless the injected file is a DLL, the PEB's ImageBaseAddress field is also set to the base address of the injected payload.\r\nLastly, to execute the payload, CastleBot Loader executes the entry point or allocates a new console for console\r\napplications.\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 6 of 24\n\nFig. 4: CastleBot Loader main function\r\nIn the sample analyzed above, the injected payload is the x86 CastleBot backdoor\r\n(202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04).\r\nCastleBot core\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 7 of 24\n\nThe CastleBot core uses the same API resolution mechanism as the stager and loader components, except for the hashing\r\nalgorithm, which is the AP hash, developed by Arash Partow.\r\nFirst, the backdoor begins by decrypting its configuration. Almost all strings throughout the binary, including those part of\r\nthe configuration, are stored as UTF-16 and decrypted inline via a unique 4-byte XOR key for each string. During\r\ndecryption, the following configuration struct is created:\r\nstruct CONFIG {   wchar_t *p_campaign_id;   //\r\n81a16c72f9c9f4ea94d68b609c78f72d4a8725e7b8f6949b12d8871b6c6843e3   int size_utf16_campaign_id;   int\r\nsize_utf8_campaign_id;   wchar_t *p_URL;           // http://173.44.141[.]89/service   int size_utf16_URL;   int\r\nsize_utf8_URL;   wchar_t *p_useragent;     // fTniXgvddlgotdAXke2CRZy   int size_utf16_useragent;   int\r\nsize_utf8_useragent;   wchar_t *p_mutex_name;    // 10KCnWHtIoABhkL2Cl3u   int size_utf16_mutex_name;   int\r\nsize_utf8_mutex_name;   DATA_BUFFER_STRUCT *p_chacha_key;     //\r\n0x84fda801005fdd07340a1ca6d8a351adc6cfe9e39ffe7498a0955209ad2f7978   int zero_34;   DATA_BUFFER_STRUCT\r\n*p_chacha_nonce;       // 0x0b5ac47bfeeaf4af61726a5c   int zero_3C; };\r\nThe malware attempts to create a mutex, using the name from the config, to ensure only a single instance is running. In the\r\nnext step, it sends an HTTP GET request to the hardcoded URL to retrieve its settings, using the campaign ID in the URL\r\npath:\r\nGET /service/settings/81a16c72f9c9f4ea94d68b609c78f72d4a8725e7b8f6949b12d8871b6c6843e3 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: fTniXgvddlgotdAXke2CRZy Host:\r\n173.44.141[.]89\r\nIn response, CastleBot receives a block of encrypted data.\r\nC2 communication\r\nAll C2 communication is encrypted via the symmetric ChaCha algorithm, apart from the malware's initial GET request.\r\nAfter decryption, the C2 protocol uses a serialized custom data structure, internally referred to as container, which can store\r\nvalues of different types.\r\nSerialized containers\r\nAt the root of the serialized data structure is always a field of type ContainerFieldArray. The structures below further define\r\nhow array and bool types are set up:\r\nenum ContainerFieldType {     CONTAINER_FIELD_TYPE_NONE,     CONTAINER_FIELD_TYPE_BOOL,    \r\nCONTAINER_FIELD_TYPE_UINT8,     CONTAINER_FIELD_TYPE_INT8,     CONTAINER_FIELD_TYPE_UINT16,  \r\n  CONTAINER_FIELD_TYPE_INT16,     CONTAINER_FIELD_TYPE_UINT32,    \r\nCONTAINER_FIELD_TYPE_INT32,     CONTAINER_FIELD_TYPE_UINT64,     CONTAINER_FIELD_TYPE_INT64,\r\n    CONTAINER_FIELD_TYPE_STRINGA,     CONTAINER_FIELD_TYPE_STRINGW,    \r\nCONTAINER_FIELD_TYPE_BLOB,     CONTAINER_FIELD_TYPE_ARRAY } struct FIELD_NAME {     WORD\r\nfieldname_len;     wchar fieldname[]; } struct CONTAINER_FIELD_ARRAY {     ContainerFieldType type;    \r\nFIELD_NAME field_name;     SIZE_T size;     union {         CONTAINER_FIELD_NONE none;        \r\nCONTAINER_FIELD_BOOL bool;         CONTAINER_FIELD_UINT8 uint8;         CONTAINER_FIELD_INT8 int8;        \r\nCONTAINER_FIELD_UINT16 uint16;         CONTAINER_FIELD_INT16 int16;         CONTAINER_FIELD_UINT32\r\nuint32;         CONTAINER_FIELD_INT32 int32;         CONTAINER_FIELD_UINT64 uint64;        \r\nCONTAINER_FIELD_INT64 int64;         CONTAINER_FIELD_STRINGA stringa;        \r\nCONTAINER_FIELD_STRINGW stringw;         CONTAINER_FIELD_BLOB blob;         CONTAINER_FIELD_ARRAY\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 8 of 24\n\narray;     }; } struct CONTAINER_FIELD_BOOL {     ContainerFieldType type; //\r\nCONTAINER_FIELD_TYPE_BOOL=0x01     FIELD_NAME field_name;     BYTE bool; }\r\nWhen parsing the decrypted container defining the settings requested by the backdoor, the data starts with the byte 0x0D,\r\nindicating the type ContainerFieldArray. That byte is followed by the field name, which itself is the 2-byte length followed\r\nby the UTF-16 encoded name. After the name, an array field defines a 4-byte length of the data, followed by the data itself,\r\nwhich again starts with the first byte defining the type.\r\nCastleBot settings container\r\nThe settings received by the sample analysed above are parsed as follows.\r\nSerialized data:\r\n00000000  0d 08 00 72 00 6f 00 6f 00 74 00 89 00 00 00 0d  |...r.o.o.t......| 00000010  10 00 73 00 65 00 74 00 74 00 69 00\r\n6e 00 67 00  |..s.e.t.t.i.n.g.| 00000020  73 00 72 00 00 00 01 18 00 72 00 75 00 6e 00 5f  |s.r......r.u.n._| 00000030  00 61 00\r\n73 00 5f 00 61 00 64 00 6d 00 69 00 6e  |.a.s._.a.d.m.i.n| 00000040  00 00 01 0e 00 61 00 6e 00 74 00 69 00 5f 00 76 \r\n|.....a.n.t.i._.v| 00000050  00 6d 00 00 01 1e 00 70 00 72 00 65 00 76 00 65  |.m.....p.r.e.v.e| 00000060  00 6e 00 74 00 5f 00\r\n72 00 65 00 73 00 74 00 61  |.n.t._.r.e.s.t.a| 00000070  00 72 00 74 00 00 01 1e 00 73 00 68 00 6f 00 77  |.r.t.....s.h.o.w|\r\n00000080  00 5f 00 66 00 61 00 6b 00 65 00 5f 00 65 00 72  |._.f.a.k.e._.e.r| 00000090  00 72 00 6f 00 72 00\r\n00                          |.r.o.r..|\r\nDeserialized object:\r\nroot: {     settings: {         run_as_admin: False,         anti_vm: False,         prevent_restart: False,         show_fake_error:\r\nFalse,     } }\r\nFor each enabled setting, the following actions are performed by CastleBot:\r\nrun_as_admin: The malware will execute its parent via \"cmd.exe /c \u003cparent_process\u003e\" via ShellExecuteW with the \"runas\"\r\nverb to launch it as Administrator.\r\nanti_vm: CastleBot will use the cpuid instruction with the 0x40000000 leaf to attempt to detect hypervisor environments. If\r\neither VMware or Parallels is discovered, the malware will exit.\r\nprevent_restart: CastleBot will create a new hidden file in %PROGRAMDATA% with the name matching the mutex name\r\nembedded in the configuration. If the file already exists, the malware will exit.\r\nshow_fake_error: The malware displays a message box \"System Error\" with the message \"The program can't start because\r\nVCRUNTIME140.dll is missing from your computer. Try reinstalling the program to fix this problem.\"\r\nHost enumeration\r\nIn the next step, CastleBot gathers information on the infected host to register with the C2 server and request tasks.\r\nUsername via GetUserNameW\r\nNetBIOS name via GetComputerNameW\r\nSystem architecture via IsWow64Process\r\nLocal DNS domain name, by using LsaQueryInformationPolicy to retrieve the PolicyDnsDomainInformation\r\nstructure. Default value is \"WORKGROUP\".\r\nVolume serial number retrieved via GetVolumeInformationW. CastleBot uses it to calculate a unique victim ID using\r\na linear congruential generator (LCG) with a multiplier of 0x41C64E6D and an addend of 0x3039.\r\nWindows version via RtlGetVersion and GetSystemMetrics(89)\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 9 of 24\n\nThe information is compiled into the object below, followed by serialization and ChaCha encryption:\r\nroot: {     information: {         access_key: \"fTniXgvddlgotdAXke2CRZy\",         campaign_identifier:\r\n\"81a16c72f9c9f4ea94d68b609c78f72d4a8725e7b8f6949b12d8871b6c6843e3\",         machine_id: \u003ccalculated_victim_id\u003e,  \r\n      build_version: \"1.0\",         username: \u003cusername\u003e,         computer_name: \u003cNetBIOS name\u003e,         domain_name: \u003clocal\r\nDNS domain name\u003e,         windows_version: \u003cWindows version\u003e,         arch: \u003csystem architecture\u003e,     } }\r\nThe hardcoded values are the access key (identical to the User-Agent from the configuration), the campaign identifier and\r\nthe CastleBot build version, which is \"1.0\" for the analyzed sample.\r\nThe backdoor sends the encrypted data in an HTTP POST request to\r\nhttp://173.44.141[.]89/service/tasks\r\n The response is a larger encrypted container bearing the CastleBot's pre-configured tasks.\r\nCastleBot tasks container\r\nThe container received from the C2 server by the analyzed CastleBot sample is decrypted and deserialized into an object\r\nwith the following fields:\r\nroot: {     access_key: \"fTniXgvddlgotdAXke2CRZy\",     tasks: {         {             id: 16,             url:\r\n\"http://173.44.141[.]89/service/download/docusign2.exe\",             install_path: \"%TEMP%\\docusign-auth2.exe\",            \r\nlaunch_method: 1,             argument: \"\",             run_as_admin: False,             startup_method: 1,            \r\nis_encrypted_container: False,             container_encryption_key: \"\",             auto_unpack_zip: False,            \r\nzip_executable_files: {},         }     } }\r\nThe \"tasks\" field is a custom type of array as detailed above, containing at least one unnamed array (zero-length name), each\r\nrepresenting a task. CastleBot may also receive an array with multiple tasks to be carried out after each other. Each task\r\ncontains an ID and several fields detailing how the task is to be executed, which are copied into a task structure during\r\ndeserialization.\r\nTask execution\r\nThe most important field in each task is the \"launch_method\", which determines the type of payload to be handled by\r\nCastleBot.\r\nLaunch method Payload Execution\r\n1 EXE downloaded from URL Via CreateProcessW or ShellExecuteW \r\n2 DLL downloaded from URL Via ShellExecuteW and rundll.exe\r\n3 DLL downloaded from URL Via LoadLibraryW\r\n4 PE downloaded from URL Injected into new process\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 10 of 24\n\n5 PowerShell command in the \"argument\" field Via ShellExecuteW\r\n6 BAT command in the \"argument\" field Via ShellExecuteW\r\nThe other fields may be used to set specific options for the task execution:\r\nField name Description\r\nid Unique task ID, used to report back successful execution to the C2 server\r\nurl\r\nURL to retrieve payload. Payloads are often hosted on the C2 server at\r\nhttp://\u003ccastlebot_c2\u003e/service/download/\u003cpayload_name\u003e\r\ninstall_path\r\nTarget path for process injection, which may contain environment variables, or simply\r\n\":SELF:\" which injects the payload into a duplicate of the parent process.\r\nargument Arguments for processes in install_path, or commands for PowerShell/BAT execution\r\nrun_as_admin If set, executions via ShellExecuteW will use the \"runas\" verb.\r\nstartup_method\r\nIf set to \"1\", persistence is created for the payload via a scheduled task triggered at every\r\nlogon. \r\nis_encrypted_container\r\nIf set, the payload downloaded from the URL is RC4-decrypted and parsed as another\r\ncontainer to retrieve the task's payload.\r\ncontainer_encryption_key   RC4 key used with the encrypted container.\r\nauto_unpack_zip If set, the payload is treated as a ZIP file and manually extracted.\r\nzip_executable_files\r\nA list of target files in the ZIP archive which are to be executed according to the launch\r\nmethod.\r\nwow64_bypass\r\nAn option only added recently, to specify whether 32-bit system binaries should be\r\nlaunched instead.\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 11 of 24\n\nProcess injection\r\nCastleBot supports simple process injection for PE payloads. It begins by creating a new suspended process, based on the\r\ninstall path and argument fields. In order to work on Windows 11 24H2 and later, the malware developers chose to hook\r\nNTDLL's NtManageHotPatch function in memory to bypass the newly added memory check. See Hasherezade's post for\r\nmore details, which also provides the exact POC implementation used by CastleBot:\r\nFig 5: CastleBot hooking NtManageHotPatch\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 12 of 24\n\nThe rest of the process injection follows common injection techniques by allocating memory in the target process, writing\r\nthe sections into the buffer and modifying the thread context before resuming execution.\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 13 of 24\n\nFig. 6: CastleBot process injection\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 14 of 24\n\nPersistence\r\nIf the startup method field is set to \"1\", CastleBot establishes persistence by creating a scheduled task. To register the task,\r\nthe malware uses the ITaskService COM interface to connect to the Task Scheduler service. It creates a new task and an\r\nexecute action for the target payload, which is triggered every time the current user logs on (TASK_TRIGGER_LOGON).\r\nTask completion\r\nEach task in the \"tasks\" container is handled iteratively according to its specified fields. Once a task has been completed\r\nwithout errors, the malware reports back the successful execution via an HTTP GET request to:\r\nhttp://\u003cc2_server\u003e/service/tasks/complete/id/\u003ctask_id\u003e\r\nJuly 2025 updates\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 15 of 24\n\nX-Force observed an updated CastleBot core variant, supporting new launch methods and an option called\r\n\"wow64_bypass\", used to specifically launch 32-bit system binaries in the SysWOW64 folder.\r\nLaunch method Payload Execution\r\n1 EXE downloaded from URL Via CreateProcessW or ShellExecuteW \r\n2 DLL downloaded from URL Via ShellExecuteW and rundll.exe\r\n3 DLL downloaded from URL Via ShellExecuteW and regsrv32.exe\r\n4 DLL downloaded from URL Via LoadLibraryW\r\n5 PE downloaded from URL Injected into new process via old mechanism\r\n6 PE downloaded from URL Injected into new process via PE Loader\r\n7 PowerShell command in the \"argument\" field Via ShellExecuteW\r\n8 BAT command in the \"argument\" field Via ShellExecuteW\r\n9 MSI downloaded from URL Via ShellExecuteW and msiexec.exe\r\nThe additional process injection implementation (launch method 6) writes both the CastleBot Loader component (see\r\nanalysis section above) as well as the PE payload into the target process. It then uses QueueUserAPC and ResumeThread to\r\ntransfer execution to the loader, which properly loads the PE payload into memory and executes it.\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 16 of 24\n\nFig. 7: Process injection via QueueUserAPC\r\nThis technique uses significantly fewer WriteProcessMemory API calls and provides a more complete loading functionality\r\nfrom the CastleBot Loader stub.\r\nThe latest tech news, backed by expert insights\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 17 of 24\n\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think\r\nnewsletter. See the IBM Privacy Statement.\r\nThank you! You are subscribed.\r\nCampaigns and payloads\r\nCastleBot's main objective is to enable the deployment of secondary payloads onto victim machines. X-Force uncovered\r\nseveral different payloads distributed by CastleBot, often with multiple payloads in a single campaign. Payloads vary in\r\nsophistication, from commodity infostealers to more capable backdoors such as NetSupport or WarmCookie, which have\r\nbeen linked to ransomware attacks.\r\nThe CastleBot MaaS framework appears to allow operators to filter infected machines and easily update payloads to manage\r\nmultiple active campaigns with great flexibility, according to Prodaft's analysis and screenshots of the C2 panel. With the\r\nfluidity of payloads and the operator's ability to add multiple tasks and payloads to a single campaign, CastleBot infection\r\nchains are more complex in comparison to traditionally static malware stages.\r\nX-Force does not have any evidence of a widespread advertisement of the MaaS on the dark web, which might indicate that\r\nthe service is currently only sold to a private group of affiliates.\r\nNetSupport\r\nWithout identifying the malware as its own framework, various fragments of the campaigns leading to NetSupport were\r\npublicly reported on by other researchers in June and July 2025.\r\nDomainTools observed fake DocuSign pages employing the ClickFix technique to execute a malicious PowerShell script,\r\nwhich in turn downloads CastleBot to deploy NetSupport. Campaign IoCs:\r\na2898897d3ada2990e523b61f3efaacf6f67af1a52e0996d3f9651b41a1c59c9: PowerShell script downloading and extracting a\r\nZIP archive before executing \"jp2launcher.exe\"\r\nd6eea6cf20a744f3394fb0c1a30431f1ef79d6992b552622ad17d86490b7aa7b: \"msvcp14.dll\" crypted  CastleBot stager DLL-sideloaded by \"jp2launcher.exe\". http://mhousecreative[.]com/service/ -  CastleBot C2 server for stager and core\r\ncomponents. \"5702b2a25802ff1b520c0d1e388026f8074e836d4e69c10f9481283f886fd9f4\" - CastleBot campaign ID\r\nhttp://mhousecreative[.]com/service/download/general_1 - NetSupport download URL hosted on  CastleBot C2 server\r\n2a2cd6377ad69a298af55f29359d67e4586ec16e6c02c1b8ad27c38471145569: NetSupport payload\r\nPaloAlto's Unit42 reported similar activity with websites imitating DocuSign and Okta, using ClickFix to deploy CastleBot\r\nvia the initial stager and loader components. It contains a partial analysis of a \"NetSupport RAT Loader\", which X-Force\r\nidentifies as the CastleBot framework. Campaign IoCs:\r\n8b2ebeff16a20cfcf794e8f314c37795261619d96d602c8ee13bc6255e951a43: PowerShell script downloading and extracting\r\na ZIP archive before executing \"jp2launcher.exe\"\r\ncbaf513e7fd4322b14adcc34b34d793d79076ad310925981548e8d3cff886527: \"msvcp14.dll\" crypted  CastleBot stager DLL-sideloaded by \"jp2launcher.exe\".  http://80.77.23[.]48/service/ -  CastleBot C2 server for stager and core components.\r\n\"5702b2a25802ff1b520c0d1e388026f8074e836d4e69c10f9481283f886fd9f4\" -  CastleBot campaign ID\r\nWarmCookie\r\nOne of the more interesting payloads of CastleBot is the WarmCookie backdoor (aka Quickbind, BadSpace). It is likely part\r\nof a larger cyber crime ecosystem enabling ransomware attacks and was among the malware families successfully targeted\r\nby international law enforcement during Operation Endgame in 2024. Previously, the threat actor Hive0137 distributed\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 18 of 24\n\nWarmCookie via malicious email campaigns, though no significant activity has been observed in 2025, according to X-Force's visibility. WarmCookie is publicly tied to TA866/Asylum Ambuscade operations.\r\nThe campaign X-Force observed began in June with a weaponized ZIP archive imitating an installer for a legitimate\r\nsoftware SSMS-20.2-enu.zip (4766f5cc6501fc40c7151a0ce1c9d2cc49fca9b0b9cab2a206dd2426947e9afe). Among the\r\nlegitimate components, it contains a malicious executable SSMS_Windows.x64.exe\r\n(05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8) identified as a variant of Dave Loader, which\r\ndecrypts a payload stored within its resources. After decryption, Dave Loader injects the CastleBot backdoor\r\n(202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04), which receives the task to download and\r\nexecute a WarmCookie payload (5bca7f1942e07e8c12ecd9c802ecdb96570dfaaa1f44a6753ebb9ffda0604cb4) from\r\nhttp://173.44.141[.]89/service/download/docusign2.exe\r\nThe WarmCookie C2 server is located at:\r\n170.130.165[.]112\r\nA second sample found later in June used a similar executable, imitating an installer for Zscaler software Zscaler-windows-4.4.0.379-installer-x64.exe (bf21161c808ae74bf08e8d7f83334ba926ffa0bab96ccac42dde418270387890). The AutoIt-compiled binary is a simple shellcode loader, executing the embedded CastleBot stager, which in turn downloads the same\r\nCastleBot backdoor binary (202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04).\r\nSandbox executions of the parent CastleBot sample indicate that the same affiliate may have dropped a StealC payload with\r\na C2 server at \"http://107.158.128[.]105/c91252f9ab114f26.php\" during the campaign; however, X-Force was not able to\r\nretrieve a sample. \r\nBoth campaigns use the CastleBot campaign ID\r\n\"81a16c72f9c9f4ea94d68b609c78f72d4a8725e7b8f6949b12d8871b6c6843e3\".\r\nInfostealers\r\nAdditionally, X-Force is tracking multiple CastleBot campaigns delivering various infostealers. The malware supports\r\nmultiple download tasks for any campaign, which will result in the deployment of multiple payloads on the same client. The\r\nexecutable AMD_Chipset_DriverOnly_DCH_AMD_Z_V1.2.0.105_20238.exe\r\n(e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85) loads the embedded CastleBot core payload\r\n(b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2 ) from its resource and executes it. It's C2\r\nserver's settings endpoint is located at\r\nhttp://62.60.226[.]73/service/settings/32e7ebb66296d22b4cf28dbe6d8dfd314590175d5fc2168609886985d6c807c1\r\nwhich was found to transmit a total of three separate tasks in a single C2 message, each deploying a different payload:\r\nTask ID: 0x16\r\nDownload URL: https[:]//google.herionhelpline[.]com/app/AcerUSBUpdate.exe\r\nPayload: 03122e46a3e48141553e7567c659642b1938b2d3641432f916375c163df819c1 (Rhadamanthys)\r\nInstall path: None\r\nLaunch method: 6\r\nTask ID: 0x17 \r\nDownload URL: https[:]//google.herionhelpline[.]com/app/light1_v5_signed.html\r\nPayload: 12de997634859d1f93273e552dec855bfae440dcf11159ada19ca0ae13d53dff (Remcos)\r\nInstall path: %ProgramData%\\AmazonApp\\AmazonWebServiceUpdate.exe\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 19 of 24\n\nLaunch method: 1\r\nTask ID: 0x18\r\nhttps[:]//google.herionhelpline[.]com/app/SlackUpdateWeb.html\r\nPayload: c8f95f436c1f618a8ef5c490555c6a1380d018f44e1644837f19cb71f6584a8a (DeerStealer)\r\nInstall path: %AppData%\\SlackUpdate\\SlackServiceUpdate.exe\r\nLaunch method: 1\r\nX-Force further discovered campaigns deploying SecTopRAT (aka ArechClient), HijackLoader (aka Shadowladder) and\r\nMonsterV2 (aka Aurotun Stealer). \r\nSecTopRAT and HijackLoader:\r\nGlobalProtect-win-6.3.zip with executable sideloading msvcp140.dll\r\n(8bf93cef46fda2bdb9d2a426fbcd35ffedea9ed9bd97bf78cc51282bd1fb2095)\r\nCastleBot C2\r\nserver: http[:]//107.158.128[.]45/service/settings/81a16c72f9c9f4ea94d68b609c78f72d4a8725e7b8f6949b12d8871b6c6843e\r\nPayload hosted at http[:]//107.158.128[.]45/service/download/Exchanger32.zip\r\n(4834bc71fc5d3729ad5280e44a13e9627e3a82fd4db1bb992fa8ae52602825c6)\r\nMonsterV2:\r\nlibssl-1_1.dll (53dddae886017fbfbb43ef236996b9a4d9fb670833dfa0c3eac982815dc8d2a5) DLL-sideloaded,\r\nreflectively injects CastleBot stager\r\nCastleBot C2\r\nserver: http[:]//107.158.128[.]45/service/settings/8306a6b35d4be6de72be58860791e3644468fd67f675e4045a246dd27fa569\r\nPayload hosted at http[:]//107.158.128[.]45/service/download/CCver_Setup.exe\r\n(ab725f5ab19eec691b66c37c715abd0e9ab44556708094a911b84987d700aa62)\r\nConclusion\r\nCastleBot is the latest evidence of a shift in the initial infection vectors of the cyber crime threat landscape. Backdoors and\r\nMaaS frameworks are increasingly distributed through fake websites as part of trojanized software or via the ClickFix\r\ntechnique. Within a few short months since observing an increase in CastleBot activity, the developers have already added\r\nseveral new features and will likely attempt to keep up with adapting EDR and network security solutions. Current activity\r\nsuggests multiple affiliates making use of CastleBot to deploy both infostealers and backdoors, which may lead to high-impact ransomware incidents.\r\nDefenders are advised to remain vigilant with the techniques mentioned in this report and take the appropriate actions to\r\nmitigate the risk of a CastleBot infection.\r\nRecommendations\r\nEnsure EDR software and associated security controls are up to date\r\nTrain users to exercise extreme caution when downloading software and refrain from installing unsanctioned or\r\nunverified software\r\nImplement multi-factor authentication and monitor for leaked enterprise credentials\r\nSet up alerts or consider blocking outgoing HTTP (non-HTTPS) connections, and URLs containing IP addresses in\r\nparticular\r\nIndicators of Compromise\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 20 of 24\n\nIndicator Indicator Type Context\r\nhttp://173.44.141[.]89/service/\r\ndownload/data_4x.bin\r\nURL CastleBot core download URL\r\nhttp://173.44.141[.]89/service/\r\ndownload/data_3x.bin\r\nURL CastleBot Loader download URL\r\nhttp://173.44.141[.]89/service/ URL CastleBot C2 server\r\nhttp://mhousecreative\r\n[.]com/service/\r\nURL CastleBot C2 server\r\nhttp://80.77.23[.]48/service/ URL CastleBot C2 server\r\nhttp://62.60.226[.]73/service/ URL CastleBot C2 server\r\nhttp://107.158.128[.]45/service/ URL CastleBot C2 server\r\nhttp://62.60.226[.]73/service/ URL CastleBot C2 server\r\n202f6b6631ade2c41e4762e5\r\n877ce0063a3beabce0c3f85\r\n64b6499a1164c1e04\r\nSHA256 CastleBot core\r\na2898897d3ada2990e523b6\r\n1f3efaacf6f67af1a52e0996d3f\r\n9651b41a1c59c9\r\nSHA256 PowerShell script downloading and extracting a ZIP archive\r\nd6eea6cf20a744f3394fb0c\r\n1a30431f1ef79d6992b55262\r\n2ad17d86490b7aa7b\r\nSHA256 Crypted CastleBot stager\r\nhttp://mhousecreative[.]com\r\n/service/download/general_1\r\nURL NetSupport download URL (May 13)\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 21 of 24\n\n2a2cd6377ad69a298af55f2\r\n9359d67e4586ec16e6c02c1\r\nb8ad27c38471145569\r\nSHA256 NetSupport ZIP payload\r\n8b2ebeff16a20cfcf794e8f31\r\n4c37795261619d96d602c8e\r\ne13bc6255e951a43\r\nSHA256 PowerShell script downloading and extracting a ZIP archive\r\ncbaf513e7fd4322b14adcc34\r\nb34d793d79076ad31092598\r\n1548e8d3cff886527\r\nSHA256 Crypted CastleBot stager\r\n05ecf871c7382b0c74e5bac\r\n267bb5d12446f52368bb1bfe\r\n5d2a4200d0f43c1d8\r\nSHA256 DaveLoader\r\nhttp://173.44.141[.]89/service/\r\ndownload/docusign2.exe\r\nURL WarmCookie download URL (June 6)\r\n5bca7f1942e07e8c12ecd9c80\r\n2ecdb96570dfaaa1f44a6753e\r\nbb9ffda0604cb4\r\nSHA256 WarmCookie payload\r\n170.130.165[.]112 IPv4 WarmCookie C2 server\r\nbf21161c808ae74bf08e8d7f83\r\n334ba926ffa0bab96ccac42dd\r\ne418270387890\r\nSHA256 AutoIt loader for CastleBot stager\r\nhttp://107.158.128[.]105/c9125\r\n2f9ab114f26.php\r\nURL StealC C2 server\r\ne6aab1b6a150ee3cbc721ac25\r\n75c57309f307f69cd1b478d49\r\n4c25cde0baaf85\r\nSHA256 Loader containing CastleBot core\r\nb45cce4ede6ffb7b6f28f75a0c\r\nbb60e65592840d98dcb63155\r\nSHA256 CastleBot core\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 22 of 24\n\nb9fa0324a88be2 \r\nhttps://google.herionhelpline\r\n[.]com/app/AcerUSBUpdate.\r\nexe\r\nURL Rhadamanthys download URL (July 10)\r\n03122e46a3e48141553e7567\r\nc659642b1938b2d3641432f9\r\n16375c163df819c1 \r\nSHA256 Rhadamanthys first stage payload\r\nhttps://google.herionhelpline\r\n[.]com/app/light1_v5_signed.\r\nhtml\r\nURL Remcos download URL (July 10)\r\n12de997634859d1f93273e55\r\n2dec855bfae440dcf11159ada19\r\nca0ae13d53dff \r\nSHA256 Remcos payload\r\nhttps://google.herionhelpline[.]com\r\n/app/SlackUpdateWeb.html\r\nURL DeerStealer download URL (July 10)\r\nc8f95f436c1f618a8ef5c49055\r\n5c6a1380d018f44e1644837f19\r\ncb71f6584a8a \r\nSHA256 DeerStealer payload\r\n8bf93cef46fda2bdb9d2a426\r\nfbcd35ffedea9ed9bd97bf78c\r\nc51282bd1fb2095\r\nSHA256 Crypted CastleBot stager\r\nhttp://107.158.128[.]45/service\r\n/download/Exchanger32.zip\r\nURL HijackLoader and SecTopRAT download URL (July 5)\r\n4834bc71fc5d3729ad5280e4\r\n4a13e9627e3a82fd4db1bb992\r\nfa8ae52602825c6\r\nSHA256 HijackLoader and SecTopRAT ZIP payload\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 23 of 24\n\n53dddae886017fbfbb43ef2369\r\n96b9a4d9fb670833dfa0c3eac\r\n982815dc8d2a5\r\nSHA256 Crypted CastleBot stager\r\nhttp://107.158.128[.]45/service\r\n/download/CCver_Setup.exe\r\nURL MonsterV2 download URL (July 10)\r\nab725f5ab19eec691b66c37c715\r\nabd0e9ab44556708094a911b8\r\n4987d700aa62\r\nSHA256 MonsterV2 payload\r\nIBM X-Force Premier Threat Intelligence is now integrated with OpenCTI by Filigran, delivering actionable threat\r\nintelligence about this threat activity and more. Access insights on threat actors, malware, and industry risks. Install the X-Force OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s\r\nexpertise. Get a 30-Day X-Force Premier Threat Intelligence trial today!\r\nSource: https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
	],
	"report_names": [
		"dissecting-castlebot-maas-operation"
	],
	"threat_actors": [
		{
			"id": "67ad7d52-d75e-43cb-9c57-8864949984e9",
			"created_at": "2024-08-20T02:00:04.546933Z",
			"updated_at": "2026-04-12T02:00:03.791775Z",
			"deleted_at": null,
			"main_name": "Hive0137",
			"aliases": [],
			"source_name": "MISPGALAXY:Hive0137",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59d91b6f-bccf-4ae4-a14c-028b198848b6",
			"created_at": "2023-03-10T02:01:52.119563Z",
			"updated_at": "2026-04-12T02:00:03.425545Z",
			"deleted_at": null,
			"main_name": "TA866",
			"aliases": [],
			"source_name": "MISPGALAXY:TA866",
			"tools": [
				"AHK Bot",
				"WasabiSeed",
				"Screenshotter"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434594,
	"ts_updated_at": 1775960476,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a38cc6d2a5c5fbf3d74592a5fe9a1865d96b97b.pdf",
		"text": "https://archive.orkl.eu/2a38cc6d2a5c5fbf3d74592a5fe9a1865d96b97b.txt",
		"img": "https://archive.orkl.eu/2a38cc6d2a5c5fbf3d74592a5fe9a1865d96b97b.jpg"
	}
}