- Four separate threat clusters use the CastleLoader Malware under a malware-as-a-service model.
- The threat group behind CastleLoader is identified as GrayBravo, known for technical sophistication and a rapidly evolving infrastructure.
- CastleLoader’s framework distributes various malware families including DeerStealer, RedLine Stealer, and NetSupport RAT.
- Distinct clusters target logistics, Booking.com-themed scams, and use malvertising campaigns.
- GrayBravo employs layered infrastructure and compromised accounts to enhance phishing campaign credibility.
In recent Cybersecurity developments, four distinct threat clusters have been observed deploying the CastleLoader malware loader. The actor responsible, designated as GrayBravo, operates under a malware-as-a-service (MaaS) model and is noted for its rapid development and complex infrastructure. These activities have been ongoing since at least March 2025.
GrayBravo, previously tracked as TAG-150, uses an advanced toolset including a remote access trojan named CastleRAT and a malware framework called CastleBot. This framework has components such as a shellcode stager, loader, and core backdoor, enabling communication with command-and-control (C2) servers to execute payloads like DLL, EXE, and PE files. CastleLoader distributes malware families such as DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and other loaders like Hijack Loader.
The four activity clusters identified each employ different tactics. Cluster 1 (TAG-160) targets the logistics sector using phishing and ClickFix (a browser auto-click technique) since March 2025. Cluster 2 (TAG-161) uses Booking.com-themed ClickFix campaigns to spread CastleLoader and Matanbuchus 3.0, active since June 2025. Cluster 3 impersonates Booking.com infrastructure, combining ClickFix and Steam Community dead drop resolvers to deliver CastleRAT through CastleLoader, also active since March 2025. Lastly, Cluster 4 leverages malvertising and fake software updates posing as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT, active since April 2025.
The operation involves a multi-tier infrastructure including victim-facing Tier 1 C2 servers linked to malware families like CastleLoader and CastleRAT, supported by multiple backup VPS servers. Notably, Cluster 1 uses compromised or fraudulent accounts on freight-matching platforms such as DAT Freight & Analytics and Loadlink Technologies to lend credibility to phishing campaigns, demonstrating industry-specific knowledge.
“GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware,” the analysis noted, highlighting the rapid adoption of these advanced tools within the cybercrime ecosystem. Further information about GrayBravo’s CastleLoader activity clusters is available in the detailed Recorded Future report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Solana Price Weakens as On-Chain Activity Hits New Lows
- Nvidia’s China Growth Stalls Despite H200 Export Approval, Rivals Rise
- BlackRock CEO Warns Bitcoin Volatility Could Soon Intensify
- Exodus Launches Exodus Pay for Stablecoin Spending in 2026
- China Ramps Up Chip Self-Reliance Amid U.S. Tech Tensions, IPOs Surge
