Dec 09, 2025Ravie LakshmananCybersecurity / Malware
4 distinct risk exercise clusters have been noticed leveraging a malware loader often called CastleLoader, strengthening the earlier evaluation that the instrument is obtainable to different risk actors underneath a malware-as-a-service (MaaS) mannequin.
The risk actor behind CastleLoader has been assigned the identify GrayBravo by Recorded Future’s Insikt Group, which was beforehand monitoring it as TAG-150.
GrayBravo is “characterised by speedy improvement cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure,” the Mastercard-owned firm stated in an evaluation printed at this time.
Among the notable instruments within the risk actor’s toolset embody a distant entry trojan referred to as CastleRAT and a malware framework known as CastleBot, which contains three parts: a shellcode stager/downloader, a loader, and a core backdoor.
The CastleBot loader is answerable for injecting the core module, which is supplied to contact its command-and-control (C2) server to retrieve duties that allow it to obtain and execute DLL, EXE, and PE (moveable executable) payloads. Among the malware households distributed by way of this framework are DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and even different loaders like Hijack Loader.
Recorded Future’s newest evaluation has uncovered 4 clusters of exercise, every working with distinct ways –
Cluster 1 (TAG-160), which targets the logistics sector utilizing phishing and ClickFix methods to distribute CastleLoader (Lively since a minimum of March 2025)
Cluster 2 (TAG-161), which makes use of Reserving.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0 (Lively since a minimum of June 2025)
Cluster 3, which makes use of infrastructure impersonating Reserving.com together with ClickFix and Steam Group pages as a useless drop resolver to ship CastleRAT by way of CastleLoader (Lively since a minimum of March 2025)
Cluster 4, which makes use of malvertising and pretend software program replace lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT (Lively since a minimum of April 2025)
GrayBravo has been discovered to leverage a multi-tiered infrastructure to help its operations. This consists of Tier 1 victim-facing C2 servers related to malware households like CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE, in addition to a number of VPS servers that probably function as backups.
The assaults mounted by TAG-160 are additionally notable for utilizing fraudulent or compromised accounts created on freight-matching platforms like DAT Freight & Analytics and Loadlink Applied sciences to reinforce the credibility of its phishing campaigns. The exercise, Recorded Future added, illustrates a deep understanding of trade operations, impersonating authentic logistics corporations, exploiting freight-matching platforms, and mirroring genuine communications to reinforce its deception and impression.
It has been assessed with low confidence that the exercise might be associated to a different unattributed cluster that focused transportation and logistics firms in North America final yr to distribute numerous malware households.
“GrayBravo has considerably expanded its person base, evidenced by the rising variety of risk actors and operational clusters leveraging its CastleLoader malware,” Recorded Future stated. “This development highlights how technically superior and adaptive tooling, notably from a risk actor with GrayBravo’s fame, can quickly proliferate inside the cybercriminal ecosystem as soon as confirmed efficient.”
