CastleLoader Analysis

Aug. 13, 2025, 3:47 p.m.

Description

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and AutoIT scripts, to load shellcode into memory and connect to C2 servers. CastleLoader's modular design allows deployment of multiple payloads, including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, and SectopRAT. Its campaigns target U.S. government entities and use legitimate file-sharing services and compromised websites for payload retrieval, enhancing resilience against takedowns.

External References

https://blog.polyswarm.io/castleloader
https://otx.alienvault.com/pulse/689c7d9e36c4ad103e6d786e
Tags
phishing
powershell
malware loader
redline
autoit
hijackloader
c2
rats
stealc
github
netsupport rat
deerstealer
sectoprat
information stealers
2025-08-13
payload delivery
castleloader
u.s. government

Date

  • Created: Aug. 13, 2025, 11:57 a.m.
  • Published: Aug. 13, 2025, 11:57 a.m.
  • Modified: Aug. 13, 2025, 3:47 p.m.

Attack Patterns

  • CastleLoader
  • DeerStealer
  • SectopRAT
  • HijackLoader
  • NetSupport RAT
  • Stealc
  • Redline

Additional Informations

  • Government
  • United States of America