GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
GrayBravo has expanded CastleLoader into a malware-as-a-service (MaaS) ecosystem that now includes CastleBot and custom CastleRAT variants, widening access to a reusable loader across multiple cybercrime clusters. The activity spans phishing, ClickFix, malvertising, fake software sites, and boobytrapped GitHub repositories, with reported use dating back to March 2025 and scaling to more than 1,600 attacks and nearly 470 infections. Researchers also reported more than 400 victims, including many United States government agencies and other critical targets. The ecosystem’s spread and lack of public dark web promotion point to a more selective, distributed criminal supply chain centered on CastleLoader and its related tooling.
Related Happenings
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
H score44
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
H score31
First: 14.02.2026 00:35
Last: 14.02.2026 00:35
Sources 1
About this happening:
**Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware ActivityAbout this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Latest development: 29.04.2026 17:43
North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
Lazarus Group graphalgo recruitment-themed package campaign
Campaign
H score38
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Lazarus Group graphalgo recruitment-themed package campaign
CampaignAbout this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Timeline
-
09.12.2025 18:01 3 articles · 7mo ago
GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Initial DisclosureCastleLoader first emerged as a **GrayBravo** loader associated with repeatable delivery operations, then broadened into a **multi-cluster** service model. Early activity visible since **March 2025** shows the platform was already supporting reusable intrusion chains before wider adoption became clear.
Show sources
- Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure — thehackernews.com — 09.12.2025 18:01
- Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure — thehackernews.com — 09.12.2025 18:01
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' — www.darkreading.com — 05.09.2025 21:28