Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery

Dec. 21, 2025, 7:03 p.m.

Description

The Blackpoint SOC recently responded to an incident initiated through the tried-and-true ClickFix technique; a social engineering method consistently leveraged across numerous campaigns this past year. These lures convince users to press Win + R to open the Windows Run dialog box, then enter a command presented as a harmless “human verification” step or similar prompt. This pattern has been repeatedly used to deploy everything from information stealers to remote access trojans (RATs), and it has also become one of the primary delivery vectors for a newer loader family known as CastleLoader.

External References

https://otx.alienvault.com/pulse/693fcf58dfddb4ef856b099a
Tags
python
clickfix
castleloader
2025-12-15

Date

  • Created: Dec. 15, 2025, 9:05 a.m.
  • Published: Dec. 15, 2025, 9:05 a.m.
  • Modified: Dec. 21, 2025, 7:03 p.m.

Indicators

  • 0f5c3ac4b4f997acd2cd71c451082cd8fbd1cbdb1a6db2bdf470714f2e7ef4bb
  • 8a539355d317bd8a490f470319410e5d2a2851a38828c900f357fbac9083583c
  • bfea06a7ef5b25b40178cfffd802d8ab4f5ee35ca5cd8d2b9ff29b4e201b3b7f
  • 78.153.155.131
  • http://dperforms.info/service/download/load_1
  • http://78.153.155.131/service/download/p2.tar

Attack Patterns

  • CastleLoader
  • ClickFix

Additional Informations

  • dperforms.info