Find notable cyber news and cases, enriched with sources, timelines, and signals.

GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem

Threat Actor Meta
First reported
Last updated
Happening score
H score 52
2 unique sources, 2 articles

Summary

Hide ▲

GrayBravo has expanded CastleLoader into a malware-as-a-service (MaaS) ecosystem that now includes CastleBot and custom CastleRAT variants, widening access to a reusable loader across multiple cybercrime clusters. The activity spans phishing, ClickFix, malvertising, fake software sites, and boobytrapped GitHub repositories, with reported use dating back to March 2025 and scaling to more than 1,600 attacks and nearly 470 infections. Researchers also reported more than 400 victims, including many United States government agencies and other critical targets. The ecosystem’s spread and lack of public dark web promotion point to a more selective, distributed criminal supply chain centered on CastleLoader and its related tooling.

Related Happenings

Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program

Threat Actor Meta
H score24 First: 11.06.2026 19:50 Last: 11.06.2026 19:50 Sources 1

About this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...

WeedHack YouTube and SEO poisoning campaign targeting Minecraft players

Campaign
H score73 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...

Mirax social media ad campaign targeting Spanish-speaking users

Campaign
H score44 First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...

Graphalgo malicious npm and PyPI RAT downloader packages

Malware Activity
H score31 First: 14.02.2026 00:35 Last: 14.02.2026 00:35 Sources 1

About this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...

Latest development: 29.04.2026 17:43

North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.

Lazarus Group graphalgo recruitment-themed package campaign

Campaign
H score38 First: 12.02.2026 18:55 Last: 12.02.2026 18:55 Sources 1

About this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...

Timeline

  1. 09.12.2025 18:01 3 articles · 7mo ago

    GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem

    Initial Disclosure

    CastleLoader first emerged as a **GrayBravo** loader associated with repeatable delivery operations, then broadened into a **multi-cluster** service model. Early activity visible since **March 2025** shows the platform was already supporting reusable intrusion chains before wider adoption became clear.

    Show sources