Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CastleLoader/CastleBot loader payload-delivery activity

Malware Activity
First reported
Last updated
Happening score
H score 12
1 unique sources, 1 articles

Summary

Hide ▲

The CastleLoader and CastleBot chain is being used to inject modules and fetch tasks from C2 servers, expanding payload delivery across victim-facing infrastructure. The loader can download and execute DLL, EXE, and PE payloads, giving operators a flexible handoff path for additional malware. That reuse broadens how quickly new payloads can be deployed through the same delivery chain.

Related Happenings

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

CastleLoader malware activity using a Python-based delivery chain

Malware Activity
First: 10.12.2025 18:45 Last: 10.12.2025 18:45 Sources 1

About this happening: **CastleLoader** is now being delivered through a **Python-based delivery chain** that runs payloads in memory, increasing the chance of stealthy execution on **Windows** systems....

Open Happening

GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem

Threat Actor Meta
First: 09.12.2025 18:01 Last: 09.12.2025 18:01 Sources 1

How related: Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.

About this happening: **GrayBravo** has expanded **CastleLoader** into a **malware-as-a-service (MaaS)** ecosystem that now includes **CastleBot** and custom **CastleRAT** variants, widening access to...

Open Happening

Timeline

  1. 09.12.2025 18:01 2 articles · 5mo ago

    GrayBravo-linked CastleLoader MaaS findings

    Initial Disclosure

    GrayBravo, previously tracked as TAG-150, is identified as the operator behind CastleLoader activity that appears to function as a malware-as-a-service platform and is used by four distinct threat clusters to distribute payloads including CastleRAT, Matanbuchus 3.0, NetSupport RAT, and other malware families. The associated CastleBot loader injects a core module that contacts C2 to retrieve tasks for downloading and executing DLL, EXE, and PE payloads, while the broader operation uses phishing, ClickFix, malvertising, fake software updates, and Booking.com-themed lures.

    Show sources
    Open in new tab