CastleBot
CastleBot is a malware framework associated with the threat actor GrayBravo, also tracked previously as TAG-150. Reporting describes it as part of a malware-as-a-service ecosystem alongside CastleLoader and CastleRAT. CastleBot comprises three components: a shellcode stager/downloader, a loader, and a core backdoor. The loader injects the core module, which then contacts command-and-control infrastructure to retrieve tasks and download and execute additional DLL, EXE, and PE payloads. CastleBot has been used to propagate other malware, including infostealers, Rhadamanthys, and WARMCOOKIE (BadSpace). Observed delivery methods include bogus GitHub repositories and ClickFix social-engineering attacks that trick users into executing malicious commands themselves. GrayBravo activity using related tooling has targeted sectors including logistics, with campaigns also leveraging phishing, malvertising, fake software updates, and impersonation themes such as Booking.com and logistics firms. High-confidence reporting in the provided content links CastleBot to GrayBravo/TAG-150 and notes that the broader ecosystem has primarily targeted U.S. victims in observed operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
They have already developed two other malware families – CastleBot and CastleLoader - which spread through bogus GitHub repositories and by using so-called ClickFix attacks that socially engineer computer users into running the malware themselves.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe ClickFix technique, first spotted last year, uses fake login screens from popular applications and web services, telling the user they have a problem and need to fix it.
Execution
1 techniqueBoth versions spread by tricking users into pasting malicious commands through a technique called ClickFix, which uses fake fixes and login prompts.
Command and Control
1 techniqueThe criminals use Tox Chat, the encrypted comms service that is becoming the tool favored by some malware operators for command and control
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Bot malware developed by the GrayBravo threat actor, likely used for automated malicious activities.
CastleBot is a custom malware family developed by GrayBravo, likely functioning as a botnet component within their ecosystem.
CastleBot is a modular malware framework consisting of a stager/downloader, loader, and a core backdoor, used to inject modules and retrieve tasks from C2 servers.
Botnet malware used to propagate other malware such as WARMCOOKIE, likely involved in distribution and command-and-control operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.