CastleLoader emerged in early 2025 and has since evolved into a dynamically developing malware distribution apparatus. Recorded Future's latest analysis underscores GrayBravo's technical sophistication, the ability to promptly adapt operations after public reporting, and the growing infrastructure currently supporting multiple threat campaigns.
GrayBravo's toolkit consists of several components, including a remote access trojan dubbed CastleRAT and a modular malware framework named CastleBot. CastleBot is composed of three interconnected main elements: a shellcode stager, a loader, and a core backdoor. The loader injects the backdoor into memory, following which the malware communicates with command-and-control servers to receive instructions. These further enable downloading and executing a variety of payloads in the form of DLL, EXE, and PE files. CastleLoader has been used to distribute various well-known malware families, including RedLine Stealer, StealC, DeerStealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and other loaders, such as Hijack Loader, which demonstrates how well the CastleBot and CastleLoader combo serves as a widely useful tool.
Recorded Future's new discoveries uncover four separate operational clusters, each using CastleLoader for its purposes. One cluster, attributed to TAG-160, has been operational since March 2025, targeting the logistics industry by leveraging phishing lures and ClickFix for CastleLoader delivery. Another one, referred to as TAG-161, started its operations in June 2025 and has used Booking.com-themed ClickFix campaigns for spreading CastleLoader and Matanbuchus 3.0. One more cluster has utilized infrastructure that spoofs Booking.com, complementing the spoofing with ClickFix and leveraging Steam Community pages as dead-drop resolvers to distribute CastleRAT via CastleLoader. A fourth cluster, which has been active since April 2025, leverages malvertising and fake update notices posing as Zabbix and RVTools for delivering CastleLoader together with NetSupport RAT.
The actor's infrastructure spans from victim-facing command-and-control servers attributed to CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE to several other VPS servers, presumably held as spares. Of special interest are the TAG-160 operations, which feature the use of hijacked or fake accounts on freight-matching platforms, including DAT Freight & Analytics and Loadlink Technologies, to create rather plausible phishing messages. The customised lures suggest that the operators have extensive domain knowledge of logistics processes and related communication practices in the industry.
Recorded Future concluded that the continued expansion in the use of CastleLoader by independent threat groups testifies to how rapidly such advanced and adaptive tools can diffuse in the cybercrime ecosystem once they get credit. Supporting this trend, the recent case documented by the researchers at Blackpoint involved a Python-based dropper chain in which the attackers used ClickFix to download an archive, stage files in the AppData directory, and execute a Python stager that rebuilt and launched a CastleLoader payload. Continued evolution of these delivery methods shows that the malware-as-a-service model behind CastleLoader is really enabling broader and more sophisticated operations through multiple threat actors.
