{
	"id": "080a3902-d627-41fa-8986-bc94ac38339a",
	"created_at": "2026-04-06T00:14:48.965119Z",
	"updated_at": "2026-04-10T03:22:00.655342Z",
	"deleted_at": null,
	"sha1_hash": "ea1dea924ed3c168a5e4449df4fc44c3d6876a1f",
	"title": "CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing – Cypro",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61155,
	"plain_text": "CastleLoader Malware Infects 469 Devices Using Fake GitHub\r\nRepos and ClickFix Phishing – Cypro\r\nBy by Christian Yng\r\nPublished: 2025-07-24 · Archived: 2026-04-05 23:49:08 UTC\r\nWe value your privacy\r\nWe use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic.\r\nBy clicking \"Accept All\", you consent to our use of cookies.\r\nCustomize Consent Preferences\r\nWe use cookies to help you navigate efficiently and perform certain functions. You will find detailed information\r\nabout all cookies under each consent category below.\r\nThe cookies that are categorized as \"Necessary\" are stored on your browser as they are essential for enabling the\r\nbasic functionalities of the site. ... \r\nAlways Active\r\nNecessary cookies are required to enable the basic features of this site, such as providing secure log-in or\r\nadjusting your consent preferences. These cookies do not store any personally identifiable data.\r\nCookie\r\ncookieyes-consent\r\nDuration\r\n1 year\r\nDescription\r\nCookieYes sets this cookie to remember users' consent preferences so that their preferences are respected\r\non subsequent visits to this site. It does not collect or store any personal information about the site visitors.\r\nCookie\r\n_GRECAPTCHA\r\nDuration\r\n5 months 27 days\r\nDescription\r\nhttps://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nPage 1 of 7\n\nGoogle Recaptcha service sets this cookie to identify bots to protect the website against malicious spam\r\nattacks.\r\nFunctional cookies help perform certain functionalities like sharing the content of the website on social media\r\nplatforms, collecting feedback, and other third-party features.\r\nCookie\r\nlidc\r\nDuration\r\n1 day\r\nDescription\r\nLinkedIn sets the lidc cookie to facilitate data center selection.\r\nCookie\r\nUserMatchHistory\r\nDuration\r\n1 month\r\nDescription\r\nLinkedIn sets this cookie for LinkedIn Ads ID syncing.\r\nCookie\r\nli_gc\r\nDuration\r\n5 months 27 days\r\nDescription\r\nLinkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.\r\nAnalytical cookies are used to understand how visitors interact with the website. These cookies help provide\r\ninformation on metrics such as the number of visitors, bounce rate, traffic source, etc.\r\nCookie\r\n_ga\r\nDuration\r\nhttps://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nPage 2 of 7\n\n1 year 1 month 4 days\r\nDescription\r\nGoogle Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the\r\nsite's analytics report. The cookie stores information anonymously and assigns a randomly generated\r\nnumber to recognise unique visitors.\r\nCookie\r\n_gid\r\nDuration\r\n1 day\r\nDescription\r\nGoogle Analytics sets this cookie to store information on how visitors use a website while also creating an\r\nanalytics report of the website's performance. Some of the collected data includes the number of visitors,\r\ntheir source, and the pages they visit anonymously.\r\nCookie\r\n_ga_*\r\nDuration\r\n1 year 1 month 4 days\r\nDescription\r\nGoogle Analytics sets this cookie to store and count page views.\r\nCookie\r\n_gcl_au\r\nDuration\r\n3 months\r\nDescription\r\nGoogle Tag Manager sets the cookie to experiment advertisement efficiency of websites using their\r\nservices.\r\nCookie\r\nAnalyticsSyncHistory\r\nhttps://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nPage 3 of 7\n\nDuration\r\n1 month\r\nDescription\r\nLinkedin set this cookie to store information about the time a sync took place with the lms_analytics\r\ncookie.\r\nCookie\r\nCONSENT\r\nDuration\r\n2 years\r\nDescription\r\nYouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.\r\nPerformance cookies are used to understand and analyze the key performance indexes of the website which helps\r\nin delivering a better user experience for the visitors.\r\nCookie\r\n_gat\r\nDuration\r\n1 minute\r\nDescription\r\nGoogle Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.\r\nAdvertisement cookies are used to provide visitors with customized advertisements based on the pages you visited\r\npreviously and to analyze the effectiveness of the ad campaigns.\r\nCookie\r\ntest_cookie\r\nDuration\r\n15 minutes\r\nDescription\r\ndoubleclick.net sets this cookie to determine if the user's browser supports cookies.\r\nhttps://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nPage 4 of 7\n\nCookie\r\nli_sugr\r\nDuration\r\n3 months\r\nDescription\r\nLinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements\r\non the website more relevant.\r\nCookie\r\nbcookie\r\nDuration\r\n1 year\r\nDescription\r\nLinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.\r\nCookie\r\nbscookie\r\nDuration\r\n1 year\r\nDescription\r\nLinkedIn sets this cookie to store performed actions on the website.\r\nCookie\r\nYSC\r\nDuration\r\nsession\r\nDescription\r\nYoutube sets this cookie to track the views of embedded videos on Youtube pages.\r\nCookie\r\nVISITOR_INFO1_LIVE\r\nhttps://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nPage 5 of 7\n\nDuration\r\n5 months 27 days\r\nDescription\r\nYouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player\r\ninterface.\r\nCookie\r\nIDE\r\nDuration\r\n1 year 24 days\r\nDescription\r\nGoogle DoubleClick IDE cookies store information about how the user uses the website to present them\r\nwith relevant ads according to the user profile.\r\nCookie\r\nyt-remote-device-id\r\nDuration\r\nnever\r\nDescription\r\nYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.\r\nCookie\r\nyt.innertube::requests\r\nDuration\r\nnever\r\nDescription\r\nYouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has\r\nseen.\r\nCookie\r\nyt.innertube::nextId\r\nhttps://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nPage 6 of 7\n\nDuration\r\nnever\r\nDescription\r\nYouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has\r\nseen.\r\nCookie\r\nyt-remote-connected-devices\r\nDuration\r\nnever\r\nDescription\r\nYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.\r\nOther uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.\r\nCookie\r\nVISITOR_PRIVACY_METADATA\r\nDuration\r\n5 months 27 days\r\nDescription\r\nDescription is currently not available.\r\nPowered by\r\nSource: https://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nhttps://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cypro.se/2025/07/24/castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing/"
	],
	"report_names": [
		"castleloader-malware-infects-469-devices-using-fake-github-repos-and-clickfix-phishing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea1dea924ed3c168a5e4449df4fc44c3d6876a1f.pdf",
		"text": "https://archive.orkl.eu/ea1dea924ed3c168a5e4449df4fc44c3d6876a1f.txt",
		"img": "https://archive.orkl.eu/ea1dea924ed3c168a5e4449df4fc44c3d6876a1f.jpg"
	}
}