CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GrayBravo Expands CastleLoader Malware Operations with Four Threat Clusters

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

TAG-150, now identified as GrayBravo, has developed CastleRAT, a remote access trojan available in both Python and C variants. GrayBravo is characterized by rapid development cycles, technical sophistication, and an expansive, evolving infrastructure. The threat actor has been active since at least March 2025, using CastleLoader to deliver various secondary payloads, including other RATs, information stealers, and loaders. CastleRAT is part of a multi-tiered infrastructure and uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. The C variant of CastleRAT includes additional functionalities such as keylogging, screenshot capture, and cryptocurrency clipping. The threat actor employs phishing attacks and fraudulent GitHub repositories to initiate infections. Recent developments include the discovery of TinyLoader, TinkyWinkey, and Inf0s3c Stealer, which are used to deliver additional malware and steal information. CastleLoader has been linked to a Play Ransomware attack against a French organization, and GrayBravo operates with a limited and sophisticated user base, likely promoting its services within closed circles. Four distinct threat activity clusters have been observed leveraging CastleLoader: TAG-160, TAG-161, and two unnamed clusters. TAG-160 targets the logistics sector using phishing and ClickFix techniques, while TAG-161 uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0. The third cluster uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. The fourth cluster uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. GrayBravo leverages a multi-tiered infrastructure to support its operations, including Tier 1 victim-facing C2 servers and multiple VPS servers as backups.

Timeline

  1. 09.12.2025 18:01 1 articles · 11h ago

    GrayBravo characterized by rapid development cycles and evolving infrastructure

    GrayBravo, previously tracked as TAG-150, is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. The threat actor's toolset includes CastleRAT and CastleBot, which comprises a shellcode stager/downloader, a loader, and a core backdoor. The CastleBot loader injects a core module that contacts its C2 server to retrieve tasks enabling it to download and execute DLL, EXE, and PE payloads.

    Show sources
    Open in new tab
  2. 05.09.2025 17:07 3 articles · 3mo ago

    TAG-150 Develops CastleRAT in Python and C

    TAG-150, now identified as GrayBravo, has been active since at least March 2025, with CastleLoader used in over 1,600 attacks, resulting in nearly 470 successful infections. The threat actor targets critical infrastructure, including a significant number of U.S. government agencies. CastleLoader has been linked to a Play Ransomware attack against a French organization. The C variant of CastleRAT includes features such as a clipper, keylogger, screen capturer, and the ability to terminate browser processes. The Python variant, named PyNightshade, uses UAC Prompt Bombing to bypass security protections and evade sandbox solutions. The article also reveals the sophisticated user base of GrayBravo, operating within closed circles, and the potential for future malware development and distribution efforts. Four distinct threat activity clusters have been observed leveraging CastleLoader: TAG-160, TAG-161, and two unnamed clusters. TAG-160 targets the logistics sector using phishing and ClickFix techniques, while TAG-161 uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0. The third cluster uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. The fourth cluster uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. GrayBravo leverages a multi-tiered infrastructure to support its operations, including Tier 1 victim-facing C2 servers and multiple VPS servers as backups.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

WordPress Sites Exploited for ClickFix Phishing Attacks

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Open in new tab

BatShadow Group Uses 'Vampire Bot' Malware to Target Job Seekers

The Vietnamese threat actor BatShadow is using a new Go-based malware called Vampire Bot to target job seekers and digital marketing professionals. The attack involves social engineering tactics where the group poses as recruiters and distributes malicious files disguised as job descriptions and corporate documents. The malware is capable of profiling infected hosts, stealing information, capturing screenshots, and maintaining communication with a command-and-control server. The infection chain begins with ZIP archives containing decoy PDFs and malicious shortcut or executable files. The malware is delivered through a multi-stage process involving PowerShell scripts, fake error messages, and remote desktop software to establish persistent access. The actors have been active for at least a year and have previously used similar tactics to deploy other malware families. The malware captures screenshots at configurable intervals, compresses them into WEBP format, and exfiltrates them over encrypted channels. The malware is written in Go and continuously checks in with its command and control (C2) server for new commands and additional payloads. The targets in BatShadow's latest campaign are individuals in transition or with high online visibility, such as job seekers and digital marketing professionals. The malware hides in core system folders and uses additional tags and attributes to conceal itself. The malware can prompt victims to change their default browser to dodge native safeguards and ensure delivery.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Open in new tab

Supply Chain Attack on Drift via OAuth Token Theft

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft, the parent company, took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data. The attack underscores the risks associated with third-party integrations and the importance of robust security measures in enterprise defenses.

Open in new tab

Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. The initial 2024 attack began with social engineering on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs. The impact of the attack includes the compromise of employee systems and potential data exfiltration. The use of multiple RATs indicates a sophisticated and multi-stage attack strategy aimed at high-value targets. The 2025 campaign targeted three European firms involved in drone development, using trojanized open-source applications and manipulated GitHub projects to deliver malware. The attacks coincide with North Korean support for Russian operations in Ukraine, suggesting an effort to gather intelligence on Western-made drones. The campaign began in late March 2025 and involved the use of a trojanized PDF reader to deliver malware. The campaign could be focused on collecting information on weapon systems deployed in Ukraine, as well as gathering information to perfect designs and processes. At least two of the victims are heavily involved in the development of UAV technology, with one making critical drone components and the other building UAV-related software.

Open in new tab