CastleLoader Activity Clusters Target Multiple Industries
Dec. 21, 2025, 6:49 p.m.
Description
Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona "Sparja" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.
Tags
Date
- Created: Dec. 9, 2025, 5:39 a.m.
- Published: Dec. 9, 2025, 5:39 a.m.
- Modified: Dec. 21, 2025, 6:49 p.m.
Indicators
- cf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c
- 94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a
- 202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04
- 60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0
- d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec
- 25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04
- 53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df
- 190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836
- 058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7
- 1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75
- 67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b
- 963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d
- e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928
- 1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156
- fb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c
- 6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783
- b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2
- 37.230.62.235
- 91.202.233.250
- 67.217.228.198
- 185.39.19.180
- 45.134.26.41
- 45.11.183.19
- 45.11.183.165
- 195.149.146.118
- 88.214.50.83
- 194.76.227.242
- 168.100.8.84
- 185.125.50.125
- 77.83.207.55
- 185.236.20.154
- 45.135.232.149
- 31.58.87.132
- 77.90.153.43
- 79.132.131.200
- 192.109.138.102
- 87.120.93.167
- 45.11.180.174
- 85.208.84.242
- 185.208.158.250
- 64.52.80.121
- 185.39.19.164
- 31.58.50.160
- 94.141.122.164
- 185.196.9.80
- 192.109.138.103
- 77.83.207.56
- 144.208.126.50
- 91.202.233.132
- 45.61.136.81
- 178.17.57.102
- 104.225.129.171
- 185.196.9.222
- 195.85.115.44
- 147.45.177.127
- 80.77.25.239
- 94.159.113.32
- 78.153.155.131
- 85.208.84.115
- 94.159.113.123
- 185.196.10.8
- 89.185.84.211
- 45.155.249.121
- 192.124.178.74
- 178.17.57.103
- 80.77.25.88
- 178.17.57.153
- 185.156.248.24
- 45.11.183.45
- 85.192.49.6
- 185.39.19.94
- 192.153.57.125
- 185.196.11.171
- 45.11.180.198
- 45.144.53.62
- 79.132.130.148
- 185.149.146.118
- 185.39.19.181
- 80.77.25.114
- 80.64.18.245
- 85.208.84.65
- http://boiksal.com/upd.
- http://boiksal.com/upd
- https://catalyst.prodaft.com/public/report/understanding-current-castleloade
- https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview
- https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/o
- http://78.153.155.131/service/download/p2.tar
Attack Patterns
- Matanbuchus
- CastleLoader
- CastleRAT
- CastleBot
- SecTopRAT
- NetSupport RAT
- WarmCookie
- GrayBravo
Additional Informations
- Logistics
- Transport
- Hospitality
- yt-ko.com
- dpeformse.com
- update-info539156.com
- pit-kp.com
- update-info4468765.com
- request-info3444.com
- itp-ce.com
- guestaformsafe.com
- vipcinemade.shop
- confirmhotelistay.com
- rol-vd.com
- site-riko.com
- guestformasafe.com
- autryjones.com
- wal-ik.com
- boiksal.com
- confirmstayon.com
- redlightninglogistics.com
- site-bila.com
- confirmhotelystay.com
- treetankists.com
- servicehotelonline.com
- roomverifiaccess.com
- miteamss.com
- guest-request64533.com
- mechiraz.com
- boikfrs.com
- update-guest4398317809.com
- rcpeformse.com
- mac-ig.com
- tdbfvgwe456yt.com
- ipk-sa.com
- guest-request44565494.com
- verifyhubguest.com
- guestverifyhub.com
- for-es.com
- rateconfirmations.com
- bestvpninfo.shop
- tradlngview-desktop.biz
- spu-cr.com
- site-filo.com
- xut-uv.com
- bdeskthebest.shop
- gabesworld.com
- jshanoi.com
- verifihubguest.com
- bioskbd.com
- roomiverifaccess.com
- guest-request677653.com
- redlightninglogisticsinc.com
- tradeviewdesktop.shop
- confirmhotelestay.com
- englandloglstics.com
- guestportalverify.com
- update-info3458421.com
- donttouchme.life
- guestformsafe.com
- bookingnewprice204167.icu
- bethschwier.com
- tenderloads.com
- mcentireinc.com
- request345553.com
- fir-vp.com
- guesutastayhotel.com
- guest-update666532345.com
- hoteliguestverify.com
- wereatwar.com
- dperforms.info
- hotelystayverify.com
- alafair.net
- pilolhotel.com
- loadsschedule.com
- kip-er.com
- vipcinemadubai.shop
- leemanlogisticsinc.com
- easyadvicesforyou.shop
- nedpihotel.com
- her-op.com
- checkistayverify.com
- trucksscheduling.com
- mrlogsol.ca
- tradview-desktop.shop
- nimbusvaults.com
- albafood.shop
- guestaverifyportal.com
- apps.englandlogistics.rateconfirmations.com
- bestproxysale.shop
- site-reto.com
- checkystayverify.com
- pinaccletruckllc.com
- chessinthenight.lol
- guestistayhotel.com
- cking.com
- starkforeveryone.lol
- dip-bo.com
- uki-fa.com
- checkinistayverify.com
- justnewdmain.com
- guest-request16433.com
- otr-gl.com
- guestverifylink.com
- funjobcollins.shop
- site-here.com
- gir-vc.com
- guest-request666543.com
- uke-sd.com
- hotelistayverify.com
- englandlogistics.com
- update-reques898665.com
- files.loadstracking.com
- cik-ed.com
- ykl-vh.com
- guestverifyportal.com
- sweetdevices.lol
- eta-cd.com
- nvldlainfoblog.shop
- notusdt.lol
- hometownlogisticsllc.com
- oldspicenotsogood.shop
- request-info4433345.com
- starshiplogisticsgroupllc.com
- donttouchthisisuseless.icu
- mcloads.com
- update-info4467.com
- dok-ol.com
- site-tiko.com
- newmessage10294.com
- guestformahub.com
- vipdubaicinema.shop
- testdomain123123.shop
- guestystayhotel.com
- speatly.com
- guestaportalverify.com
- gut-bk.com
- checkinstayverify.com
- checkinastayverify.com
- loadstracking.com
- nort-secure.shop
- campanyasoft.com
- dut-cd.com
- guestaformahub.com
- kil-it.com
- info-guest44567645.com
- guestaformhub.com
- docusign.homes
- norton-secure.shop
- bookingnewprice109034.icu
- xyt-ko.com
- confirmahotelastay.com
- notstablecoin.xyz
- gueststayhotel.com
- catalyst.prodaft.com
- roomverifaccess.com
- doyoureallyseeme.icu
- zit-fl.com
- nvidblog.shop
- kakapupuneww.com
- touchmeplease.icu
- ned-uj.com
- englanglogistlcs.com
- cut-gv.com
- confirmstayonline.com
- guesytastayhotel.com
- castlppwnd.com
- loadstrucking.com
- site-wila.com
- update-info71556.com
- anotherproject.icu
- site-sero.com
- albalk.lol
- update-info14546.com
- hotelroomprice1039375.icu
- request44456776.com
- loadsplanning.com
- guestformhub.com
- dubaialbafood.shop
- tradlngvlewdesktop.shop
- mlxfreightinc.com
- cdlfreightlogistics.com
- update-gues3429.com
- hotelyguestverify.com
- info676345677.com
- site-tilo.com
- eto-sa.com
- booking-porta.com
- confirmyhotelstay.com
- guesitastayhotel.com
- map-nv.com
- clgenetics.shop
- icantseeyou.icu
- loads.icu
- tam-cg.com
- checksstayverify.com
- programsbookss.com
- easyprintscreen.shop
- 192.109.138.0/24
- galaxioflow.com
- roject0.com
- site-silo.com
- loadplannig.com
- confirmahotelstay.com
- blkiesf.com
- United States of America