CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GrayBravo Expands CastleLoader Malware Operations with Four Threat Clusters

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

GrayBravo, previously tracked as TAG-150, has developed CastleRAT, a remote access trojan available in both Python and C variants. The threat actor is characterized by rapid development cycles, technical sophistication, and an expansive, evolving infrastructure. GrayBravo has been active since at least March 2025, using CastleLoader to deliver various secondary payloads, including other RATs, information stealers, and loaders. CastleRAT is part of a multi-tiered infrastructure and uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. The C variant of CastleRAT includes additional functionalities such as keylogging, screenshot capture, and cryptocurrency clipping. The threat actor employs phishing attacks and fraudulent GitHub repositories to initiate infections. Recent developments include the discovery of TinyLoader, TinkyWinkey, and Inf0s3c Stealer, which are used to deliver additional malware and steal information. CastleLoader has been linked to a Play Ransomware attack against a French organization, and GrayBravo operates with a limited and sophisticated user base, likely promoting its services within closed circles. Four distinct threat activity clusters have been observed leveraging CastleLoader: TAG-160, TAG-161, and two unnamed clusters. TAG-160 targets the logistics sector using phishing and ClickFix techniques, while TAG-161 uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0. The third cluster uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. The fourth cluster uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. GrayBravo leverages a multi-tiered infrastructure to support its operations, including Tier 1 victim-facing C2 servers and multiple VPS servers as backups. A new malware campaign using a Python-based delivery chain to deploy the emerging CastleLoader family has been discovered by cybersecurity researchers. The activity revolves around the use of ClickFix social engineering prompts that convince users to open the Windows Run dialog and execute a command that appears to be part of a harmless verification step. That single action initiates a multi-stage sequence that quietly downloads, decrypts, and runs an attacker-controlled payload in memory.

Timeline

  1. 09.12.2025 18:01 1 articles · 2d ago

    GrayBravo characterized by rapid development cycles and evolving infrastructure

    GrayBravo, previously tracked as TAG-150, is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. The threat actor's toolset includes CastleRAT and CastleBot, which comprises a shellcode stager/downloader, a loader, and a core backdoor. The CastleBot loader injects a core module that contacts its C2 server to retrieve tasks enabling it to download and execute DLL, EXE, and PE payloads.

    Show sources
    Open in new tab
  2. 05.09.2025 17:07 4 articles · 3mo ago

    TAG-150 Develops CastleRAT in Python and C

    A new malware campaign using a Python-based delivery chain to deploy the emerging CastleLoader family has been discovered by cybersecurity researchers. The activity revolves around the use of ClickFix social engineering prompts that convince users to open the Windows Run dialog and execute a command that appears to be part of a harmless verification step. That single action initiates a multi-stage sequence that quietly downloads, decrypts, and runs an attacker-controlled payload in memory. The ClickFix command launches a hidden conhost.exe process that uses built-in Windows tools to fetch a small tar archive, unpack it into AppData, and run a windowless Python interpreter. The bundled interpreter executes a compiled Python bytecode file that reconstructs and decrypts CastleLoader shellcode entirely in memory. The shellcode retrieves the final stage using the hardcoded GoogeBot user agent and a staging path consistent with prior CastleLoader operations. The malware relies on hashed DLL names, hashed API identifiers, and PEB Walking to resolve required APIs at runtime and decrypts the downloaded payload using the first 16 bytes as an XOR key before running it directly in memory.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FileFix Attack Evolves with Cache Smuggling Technique

A new variant of the FileFix social engineering attack uses cache smuggling to evade security software. This technique involves hiding a malicious ZIP archive within a browser's cache to bypass detection. The attack impersonates a Fortinet VPN Compliance Checker and tricks users into executing a PowerShell script through the Windows File Explorer address bar. The script extracts the malicious payload from the cache and executes it. This new variant was first observed by cybersecurity researcher P4nd3m1cb0y and detailed by Marcus Hutchins of Expel. The attack has been adopted by various threat actors, including ransomware groups. Additionally, a new ClickFix kit called the IUAM ClickFix Generator has been discovered, which automates the creation of ClickFix-style lures.

Open in new tab

WordPress Sites Exploited for ClickFix Phishing Attacks

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Open in new tab

BatShadow Group Uses 'Vampire Bot' Malware to Target Job Seekers

The Vietnamese threat actor BatShadow is using a new Go-based malware called Vampire Bot to target job seekers and digital marketing professionals. The attack involves social engineering tactics where the group poses as recruiters and distributes malicious files disguised as job descriptions and corporate documents. The malware is capable of profiling infected hosts, stealing information, capturing screenshots, and maintaining communication with a command-and-control server. The infection chain begins with ZIP archives containing decoy PDFs and malicious shortcut or executable files. The malware is delivered through a multi-stage process involving PowerShell scripts, fake error messages, and remote desktop software to establish persistent access. The actors have been active for at least a year and have previously used similar tactics to deploy other malware families. The malware captures screenshots at configurable intervals, compresses them into WEBP format, and exfiltrates them over encrypted channels. The malware is written in Go and continuously checks in with its command and control (C2) server for new commands and additional payloads. The targets in BatShadow's latest campaign are individuals in transition or with high online visibility, such as job seekers and digital marketing professionals. The malware hides in core system folders and uses additional tags and attributes to conceal itself. The malware can prompt victims to change their default browser to dodge native safeguards and ensure delivery.

Open in new tab

Credential-themed ZIP Archives Deliver DLL Implants via Windows Shortcuts

A campaign delivers DLL implants using Windows shortcut (.lnk) files embedded in ZIP archives. The ZIP files contain credential-themed lures, such as passport scans and payment records. When a user clicks on the shortcut, it triggers a minimized and obfuscated PowerShell script that downloads a malicious payload. The attack targets management vertical users, focusing on executive workflows like identity verification and payment approval. The campaign uses several evasion tactics to avoid detection, including obfuscation, byte array commands, and antivirus process checks. The PowerShell script runs quietly, suppressing visible windows and progress messages. It downloads DLLs disguised as .ppt files and invokes them using rundll32.exe, blending the malicious activity with normal system behavior. This approach helps the implant remain undetected and provides a quiet foothold on the machine.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Open in new tab