CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GrayBravo Expands CastleLoader Malware Operations with Four Threat Clusters

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

GrayBravo, previously tracked as TAG-150, has developed CastleRAT, a remote access trojan available in both Python and C variants. The threat actor is characterized by rapid development cycles, technical sophistication, and an expansive, evolving infrastructure. GrayBravo has been active since at least March 2025, using CastleLoader to deliver various secondary payloads, including other RATs, information stealers, and loaders. CastleRAT is part of a multi-tiered infrastructure and uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. The C variant of CastleRAT includes additional functionalities such as keylogging, screenshot capture, and cryptocurrency clipping. The threat actor employs phishing attacks and fraudulent GitHub repositories to initiate infections. Recent developments include the discovery of TinyLoader, TinkyWinkey, and Inf0s3c Stealer, which are used to deliver additional malware and steal information. CastleLoader has been linked to a Play Ransomware attack against a French organization, and GrayBravo operates with a limited and sophisticated user base, likely promoting its services within closed circles. Four distinct threat activity clusters have been observed leveraging CastleLoader: TAG-160, TAG-161, and two unnamed clusters. TAG-160 targets the logistics sector using phishing and ClickFix techniques, while TAG-161 uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0. The third cluster uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. The fourth cluster uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. GrayBravo leverages a multi-tiered infrastructure to support its operations, including Tier 1 victim-facing C2 servers and multiple VPS servers as backups. A surge in LummaStealer infections has been observed, driven by social engineering campaigns leveraging the ClickFix technique to deliver the CastleLoader malware. LummaStealer, also known as LummaC2, is an infostealer operation running as a malware-as-a-service (MaaS) platform that was disrupted in May 2025 when multiple tech firms and law enforcement authorities seized 2,300 domains and the central command structure supporting the malicious service. Although the law enforcement operation severely disrupted the LummaStealer activity, the MaaS operation started to resume in July 2025. A new report from cybersecurity company Bitdefender warns that LummaStealer operations have scaled significantly between December 2025 and January 2026, now being delivered through a malware loader called CastleLoader, and increasingly relying on ClickFix techniques.

Timeline

  1. 09.12.2025 18:01 2 articles · 2mo ago

    GrayBravo characterized by rapid development cycles and evolving infrastructure

    GrayBravo, previously tracked as TAG-150, is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. The threat actor's toolset includes CastleRAT and CastleBot, which comprises a shellcode stager/downloader, a loader, and a core backdoor. The CastleBot loader injects a core module that contacts its C2 server to retrieve tasks enabling it to download and execute DLL, EXE, and PE payloads.

    Show sources
    Open in new tab
  2. 05.09.2025 17:07 5 articles · 5mo ago

    TAG-150 Develops CastleRAT in Python and C

    A surge in LummaStealer infections has been observed, driven by social engineering campaigns leveraging the ClickFix technique to deliver the CastleLoader malware. LummaStealer, also known as LummaC2, is an infostealer operation running as a malware-as-a-service (MaaS) platform that was disrupted in May 2025 when multiple tech firms and law enforcement authorities seized 2,300 domains and the central command structure supporting the malicious service. Although the law enforcement operation severely disrupted the LummaStealer activity, the MaaS operation started to resume in July 2025. A new report from cybersecurity company Bitdefender warns that LummaStealer operations have scaled significantly between December 2025 and January 2026, now being delivered through a malware loader called CastleLoader, and increasingly relying on ClickFix techniques.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ErrTraffic Service Enables Automated ClickFix Attacks via Fake Browser Glitches

A new cybercrime tool called ErrTraffic automates ClickFix attacks by generating fake browser glitches on compromised websites to trick users into downloading malware or following malicious instructions. The service promises high conversion rates and delivers architecture-specific payloads. ClickFix attacks have gained popularity among cybercriminals and state-sponsored actors for bypassing security controls. ErrTraffic is sold for a one-time purchase of $800 and offers a user-friendly panel for campaign management. It modifies the DOM of compromised websites to display visual glitches, prompting victims to execute malicious commands. Payloads include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, AMOS stealer on macOS, and unspecified Linux backdoors.

Open in new tab

GootLoader Resurfaces with New Font Obfuscation and ZIP Evasion Tactics

GootLoader, a JavaScript-based malware loader, has resurfaced with advanced tactics to evade detection. The malware now uses custom WOFF2 fonts to obfuscate filenames, modifies ZIP files to appear harmless in analysis tools, and employs concatenated ZIP archives of up to 1,000 parts. Since October 27, 2025, three infections have been observed, two of which led to domain controller compromises within 17 hours. GootLoader, linked to the Hive0127 threat actor, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads. The malware's latest campaign targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives. The ZIP files are designed to evade static analysis by displaying harmless text in analysis tools while extracting malicious JavaScript files on Windows. The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities. Threat actors have used this backdoor to move laterally to domain controllers and create admin-level user accounts. The latest findings highlight GootLoader's use of malformed ZIP archives that evade detection by tools like WinRAR or 7-Zip, while still being extractable by the default Windows unarchiver. The malware employs hashbusting techniques, including randomizing values in non-critical fields and concatenating a unique number of files, to evade detection. The ZIP archive is delivered as an XOR-encoded blob, decoded and repeatedly appended to itself on the client-side to evade network-based detection. The JavaScript malware creates a Windows shortcut (LNK) file in the Startup folder to establish persistence and executes a second JavaScript file using cscript.

Open in new tab

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. The attacks exploit user behavior and technical gaps in detection to evade security measures and compromise systems. They are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab

TikTok Videos Distribute Infostealers via ClickFix Attacks

Cybercriminals are using TikTok videos to distribute information-stealing malware through ClickFix attacks. The videos, disguised as activation guides for popular software like Windows, Spotify, and Netflix, trick users into executing malicious PowerShell commands. These commands download and execute Aura Stealer malware, which steals credentials, cookies, and cryptocurrency wallets. The campaign has been ongoing and is similar to one observed by Trend Micro in May 2025.

Open in new tab

FileFix Attack Evolves with Cache Smuggling Technique

A new variant of the FileFix social engineering attack uses cache smuggling to evade security software. This technique involves hiding a malicious ZIP archive within a browser's cache to bypass detection. The attack impersonates a Fortinet VPN Compliance Checker and tricks users into executing a PowerShell script through the Windows File Explorer address bar. The script extracts the malicious payload from the cache and executes it. This new variant was first observed by cybersecurity researcher P4nd3m1cb0y and detailed by Marcus Hutchins of Expel. The attack has been adopted by various threat actors, including ransomware groups. Additionally, a new ClickFix kit called the IUAM ClickFix Generator has been discovered, which automates the creation of ClickFix-style lures.

Open in new tab