Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CastleLoader malware activity using a Python-based delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 12
1 unique sources, 1 articles

Summary

Hide ▲

CastleLoader is now being delivered through a Python-based delivery chain that runs payloads in memory, increasing the chance of stealthy execution on Windows systems. The activity uses ClickFix prompts to persuade users to open the Windows Run dialog and launch a command that looks like a harmless verification step. That command starts hidden conhost.exe and pythonw.exe activity, then decrypts and executes CastleLoader shellcode without dropping a traditional executable. Researchers also tied the staging pattern and GoogeBot user agent to prior CastleLoader operations.

Related Happenings

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
First: 31.03.2026 00:25 Last: 31.03.2026 00:25 Sources 1

About this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...

Open Happening

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
First: 06.03.2026 08:44 Last: 06.03.2026 08:44 Sources 1

About this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

Timeline

  1. 10.12.2025 18:45 2 articles · 5mo ago

    Blackpoint identifies ClickFix-driven CastleLoader campaign

    Initial Disclosure

    Blackpoint identified a new CastleLoader campaign that uses ClickFix social engineering prompts to persuade Windows users to open the Windows Run dialog and execute a fake verification command; the chain starts a hidden conhost.exe process, fetches a tar archive, unpacks it into AppData, runs a windowless Python interpreter, and decrypts CastleLoader shellcode in memory before the final stage uses a hardcoded GoogeBot user agent and /service/download/ staging path consistent with prior CastleLoader operations.

    Show sources
    Open in new tab