GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
GrayBravo has expanded CastleLoader into a malware-as-a-service (MaaS) ecosystem that now includes CastleBot and custom CastleRAT variants, widening access to a reusable loader across multiple cybercrime clusters. The activity spans phishing, ClickFix, malvertising, fake software sites, and boobytrapped GitHub repositories, with reported use dating back to March 2025 and scaling to more than 1,600 attacks and nearly 470 infections. Researchers also reported more than 400 victims, including many United States government agencies and other critical targets. The ecosystem’s spread and lack of public dark web promotion point to a more selective, distributed criminal supply chain centered on CastleLoader and its related tooling.
Related Happenings
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
First: 14.02.2026 00:35
Last: 14.02.2026 00:35
Sources 1
About this happening:
**Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware ActivityAbout this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Latest development: 29.04.2026 17:43
North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
Lazarus Group graphalgo recruitment-themed package campaign
Campaign
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Lazarus Group graphalgo recruitment-themed package campaign
CampaignAbout this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
**North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor MetaAbout this happening: **North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
09.12.2025 18:01 3 articles · 5mo ago
GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Initial DisclosureCastleLoader first emerged as a **GrayBravo** loader associated with repeatable delivery operations, then broadened into a **multi-cluster** service model. Early activity visible since **March 2025** shows the platform was already supporting reusable intrusion chains before wider adoption became clear.
Show sources
- Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure — thehackernews.com — 09.12.2025 18:01
- Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure — thehackernews.com — 09.12.2025 18:01
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' — www.darkreading.com — 05.09.2025 21:28