Stealthy CastleLoader Malware Attacking US-Based Government Entities

   January 15, 2026  Posted in CyberSecurityNews

Stealthy CastleLoader Malware Attacking US-Based Government Entities

Stealthy CastleLoader Malware Attacking US Government Agencies and Critical Infrastructure

A sophisticated malware loader known as CastleLoader has emerged as a critical threat to US government agencies and critical infrastructure organizations.

First identified in early 2025, this stealthy malware has been used as the initial access point in coordinated attacks targeting multiple sectors including federal agencies, IT firms, logistics companies, and essential infrastructure providers across North America and Europe.

Security researchers have documented that a single CastleLoader campaign impacted approximately 460 distinct organizations, with particular focus on compromising government systems in the United States.

CastleLoader operates as a multi-stage loader that delivers secondary payloads directly into system memory, making it exceptionally difficult for traditional security defenses to detect.

The malware’s primary function is to establish an initial foothold on compromised systems, after which it deploys more dangerous tools including information stealers and remote access trojans that give attackers complete control over infected networks.

The loader’s universal nature and high infection rate have made it a preferred tool among threat actors who seek to compromise high-value targets while evading detection systems.

google

View analysis 

The launch of CastleLoader sample showing suspicious processes and network activities detected (Source - Any.Run)
The launch of CastleLoader sample showing suspicious processes and network activities detected (Source – Any.Run)

The attack vector for CastleLoader typically involves social engineering techniques known as ClickFix, where victims are deceived through fake software update prompts or system verification messages.

When users comply with these fake requests, they unknowingly execute malicious commands that deliver CastleLoader as the second stage of the attack chain.

This deceptive approach has proven remarkably effective at bypassing user awareness training and initial security controls.

Any.Run analysts and researchers noted the malware’s sophisticated architecture during their detailed investigation, identifying a carefully orchestrated execution chain designed specifically to evade modern security tools.

The analysis revealed that CastleLoader does not operate as a simple executable but instead relies on a complex layered approach that makes every stage appear relatively benign on first inspection.

CastleLoader installer (Source - Any.Run)
CastleLoader installer (Source – Any.Run)

This method allows the malware to distribute its malicious activity across multiple legitimate-looking processes, effectively hiding in plain sight.

Prevent attacks by tapping into 99% unique IOCs Integrate TI Feeds for better proactive defense
Reach out for details 

Infection Chain and Evasion Mechanisms

CastleLoader’s infection mechanism represents a masterclass in stealth and obfuscation.

The malware arrives packaged as an Inno Setup installer file containing multiple components, including AutoIt3.exe and a compiled AutoIt script stored as freely.a3x.

Files extracted from Inno Setup installer (Source - Any.Run)
Files extracted from Inno Setup installer (Source – Any.Run)

When executed, the AutoIt script initiates the critical next phase: launching the jsc.exe process (a legitimate JScript.NET compiler) with the CREATE_SUSPENDED flag, which pauses the process immediately after creation.

Rather than executing in this suspended state, the malware implements a refined process hollowing technique that injects a fully functional PE executable directly into the jsc.exe memory space.

The technique follows this sequence: first, memory is allocated within the target process using VirtualAllocEX with PAGE_EXECUTE_READWRITE permissions, allowing code execution from the newly allocated area.

Equates table (Source - Any.Run)
Equates table (Source – Any.Run)

Next, the malicious PE image is written into this memory region using WriteProcessMemory. The malware then extracts the PEB (Process Environment Block) address and overwrites the ImageBaseAddress field, ensuring the injected code loads at the correct memory location.

This approach differs from traditional process hollowing techniques, which typically use NtUnmapViewOfSection to remove the original process memory. 

Dynamic analysis from ANY.RUN: Boost DR by 36%, cut MTTR by 21 minutes - Contact for Demo

By skipping this step, CastleLoader avoids triggering detection mechanisms that monitor for this suspicious activity pattern. The final stages involve SetThreadContext to redirect execution to the injected payload’s entry point, followed by ResumeThread to begin execution.

This entire sequence keeps the malicious code confined to memory without creating suspicious artifacts on disk until initialization completes.

The result is a fully functional malware module that exists only in the target process’s memory space after alteration, rendering traditional static signature-based detection ineffective.

A breakpoint at WriteProcessMemory (Source - Any.Run)
A breakpoint at WriteProcessMemory (Source – Any.Run)

Security monitoring tools that rely on process behavior analysis struggle because each individual component appears legitimate when examined separately.

Static file signatures, behavioral heuristics, and conventional process monitoring systems prove unable to detect this sophisticated execution model, making CastleLoader an exceptionally dangerous threat to organizations lacking modern memory-based detection capabilities and endpoint detection and response solutions.

Experience how ANY.RUN’s solutions can power your SOC: Start 14-Day Trial 

googlenews



Source link