GrayBravo

GrayBravo, formerly tracked as TAG-150, is a financially motivated malware-as-a-service (MaaS) threat actor active since at least March 2025. Recorded Future’s Insikt Group identified GrayBravo as the developer behind the custom malware families CastleLoader, CastleRAT, and CastleBot. The group is characterized in reporting as technically sophisticated, with rapid development cycles, responsiveness to public reporting, and an expansive, evolving, multi-layered infrastructure. GrayBravo primarily targets the United States, with reported targeting of U.S. government agencies, critical infrastructure, IT firms, logistics companies, and financial services organizations. Multiple activity clusters have been documented within the CastleLoader ecosystem, including TAG-160 and TAG-161. TAG-160 targets the logistics sector using phishing and ClickFix techniques, including impersonation of logistics firms and abuse of freight-matching platforms such as DAT Freight & Analytics and Loadlink Technologies. TAG-161 uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus. Other GrayBravo activity has used malvertising, fake software updates, bogus GitHub repositories, cracked software and pirated media lures, and fake CAPTCHA or Cloudflare verification-style ClickFix prompts. CastleLoader is GrayBravo’s modular loader and is operated as part of a MaaS ecosystem. It has been used to compromise hundreds of U.S. devices and to deliver a wide range of secondary payloads, including LummaC2/LummaStealer, StealC, RedLine, Rhadamanthys, DeerStealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, Hijack Loader, and zgRAT. Reported CastleLoader tradecraft includes NSIS installers, embedded Python runtimes, AES-encrypted payloads, in-memory shellcode execution via VirtualAlloc and RtlMoveMemory, heavy obfuscation, junk padding to evade sandbox limits, geofencing checks, use of fake GitHub repositories, and masquerading as legitimate software such as vc_redist.x86.exe. AutoIt-based CastleLoader variants have also been reported, including versions used in LummaStealer campaigns. CastleRAT is GrayBravo’s remote access trojan and has been observed in both Python and C variants. The Python variant is also referred to as PyNightshade or NightshadeC2. Reported capabilities include system data exfiltration, remote command execution, file download and execution, interactive shell access, additional payload deployment, keystroke logging, screenshot capture, browser credential and cookie theft, and cryptocurrency clipping. CastleRAT uses a custom binary protocol with RC4 encryption and hard-coded keys, and some variants query ip-api[.]com for victim geolocation and network details. Reporting also describes CastleRAT delivery through CastleLoader and use of Steam profile dead drop resolvers to hide command-and-control infrastructure. GrayBravo maintains redundant, overlapping infrastructure, including victim-facing command-and-control servers and backup VPS nodes. Reporting notes shared RC4 keys across CastleRAT infrastructure, simultaneous victim communication with multiple C2 servers, typosquatted and re-registered domains, compromised infrastructure, and overlap between CastleLoader infrastructure and Lumma operations. Some reporting assesses the operators as likely Russian-speaking, and historical infrastructure and certificate artifacts are described as consistent with Russian-speaking operators. Known aliases and related designations include GrayBravo and TAG-150. Known sub-groups or activity clusters directly mentioned in reporting include TAG-160 and TAG-161.