CastleLoader malware activity using a Python-based delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
CastleLoader is now being delivered through a Python-based delivery chain that runs payloads in memory, increasing the chance of stealthy execution on Windows systems. The activity uses ClickFix prompts to persuade users to open the Windows Run dialog and launch a command that looks like a harmless verification step. That command starts hidden conhost.exe and pythonw.exe activity, then decrypts and executes CastleLoader shellcode without dropping a traditional executable. Researchers also tied the staging pattern and GoogeBot user agent to prior CastleLoader operations.
Related Happenings
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
DeepLoad credential-stealing malware activity with WMI persistence
Malware Activity
H score30
First: 31.03.2026 00:25
Last: 31.03.2026 00:25
Sources 1
About this happening:
The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
DeepLoad credential-stealing malware activity with WMI persistence
Malware ActivityAbout this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
ClickFix Windows Terminal Lumma Stealer campaign
Campaign
H score35
First: 06.03.2026 08:44
Last: 06.03.2026 08:44
Sources 1
About this happening:
A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...
ClickFix Windows Terminal Lumma Stealer campaign
CampaignAbout this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
H score19
First: 03.03.2026 11:20
Last: 03.03.2026 11:20
Sources 1
About this happening:
**ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware ActivityAbout this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
H score22
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
Timeline
-
10.12.2025 18:45 2 articles · 7mo ago
Blackpoint identifies ClickFix-driven CastleLoader campaign
Initial DisclosureBlackpoint identified a new CastleLoader campaign that uses ClickFix social engineering prompts to persuade Windows users to open the Windows Run dialog and execute a fake verification command; the chain starts a hidden conhost.exe process, fetches a tar archive, unpacks it into AppData, runs a windowless Python interpreter, and decrypts CastleLoader shellcode in memory before the final stage uses a hardcoded GoogeBot user agent and /service/download/ staging path consistent with prior CastleLoader operations.
Show sources
- ClickFix Social Engineering Sparks Rise of CastleLoader Attacks — www.infosecurity-magazine.com — 10.12.2025 18:45
- ClickFix Social Engineering Sparks Rise of CastleLoader Attacks — www.infosecurity-magazine.com — 10.12.2025 18:45