CastleLoader, a malware loader operated by the threat actor GrayBravo (formerly TAG‑150), is now being used by four distinct threat clusters, confirming its role as a malware‑as‑a‑service (MaaS) platform.
Key Characteristics of GrayBravo
- Emerged in early 2025.
- Known for rapid development cycles, technical sophistication, and responsive adaptation to public reporting.
- Operates an expansive, multi‑tiered infrastructure with victim‑facing C2 servers and backup VPS nodes.
- Toolset includes:
- CastleRAT (remote access trojan).
- CastleBot framework (shellcode stager, loader, core backdoor).
- Distribution of malware families such as DeerStealer, RedLine Stealer, StealC, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, Hijack Loader.
Four Distinct Threat Clusters
| Cluster | Alias | Tactics | Active Since |
|---|---|---|---|
| 1 | TAG‑160 | Targets logistics sector via phishing & ClickFix; uses freight‑matching platforms (DAT Freight & Analytics, Loadlink) for credibility | March 2025 |
| 2 | TAG‑161 | Booking.com‑themed ClickFix campaigns; distributes CastleLoader + Matanbuchus 3.0 | June 2025 |
| 3 | — | Infrastructure impersonates Booking.com; uses ClickFix + Steam Community pages as dead drop resolvers; delivers CastleRAT | March 2025 |
| 4 | — | Malvertising & fake software updates (Zabbix, RVTools); distributes CastleLoader + NetSupport RAT | April 2025 |
Infrastructure & Techniques
- Tier 1 C2 servers tied to CastleLoader, CastleRAT, SectopRAT, WARMCOOKIE.
- Fraudulent accounts on logistics platforms used to impersonate legitimate firms.
- ClickFix technique:
- Downloads small archives into AppData.
- Executes bundled
pythonw.exestagers. - Rebuilds and launches CastleLoader payloads.
- Earlier campaigns used AutoIt scripts in ZIP archives; now shifting to Python droppers for stealth and flexibility.
Strategic Implications
- MaaS proliferation: CastleLoader is no longer exclusive to GrayBravo — multiple clusters now operational.
- Industry targeting: Logistics and transportation sectors are prime targets due to reliance on freight‑matching platforms and trusted communications.
- Adaptive tooling: GrayBravo’s infrastructure and loader framework enable rapid adoption by other actors, accelerating spread across the cybercriminal ecosystem.
Defensive Recommendations
- Monitor for ClickFix activity: suspicious archive downloads into AppData, execution of
pythonw.exe. - Detect malvertising campaigns: fake updates for Zabbix, RVTools, or Booking.com‑themed lures.
- Audit freight/logistics communications: validate sender accounts on DAT Freight & Analytics, Loadlink.
- Hunt for CastleLoader IoCs: track C2 infrastructure linked to CastleLoader, CastleRAT, SectopRAT, WARMCOOKIE.
- Segment and harden endpoints: prevent lateral movement if loaders establish persistence.
Leave a Reply