GrayBravo

GrayBravo, formerly tracked as TAG-150, is a financially motivated cybercriminal threat actor assessed to operate a malware-as-a-service (MaaS) ecosystem active since at least March 2025. The group is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving multi-tiered infrastructure. GrayBravo is the developer and operator behind CastleLoader and is also linked to CastleBot and CastleRAT, including Python and C variants of CastleRAT. GrayBravo commonly gains initial access through ClickFix-style social engineering and fraudulent GitHub repositories masquerading as legitimate software. Reported lures include Cloudflare-themed ClickFix pages, fake CAPTCHA or troubleshooting flows, bogus software repositories, malvertising, and fake software updates. Victims are tricked into copying and executing malicious PowerShell commands or running trojanized installers. CastleLoader has also been observed in NSIS and AutoIt-based delivery chains, using in-memory execution, obfuscation, anti-analysis checks, and geofencing behavior. The actor’s tooling is used to deliver numerous secondary payloads, including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, Stealc, RedLine Stealer, Rhadamanthys Stealer, DeerStealer, MonsterV2, LummaStealer, and CastleStealer. CastleRAT supports system reconnaissance, command execution via CMD and PowerShell, payload download and execution, and remote shell access; the C variant also includes keylogging and screen capture. GrayBravo has used Steam Community pages as dead-drop resolvers for CastleRAT command-and-control. GrayBravo operates a large, redundant infrastructure spanning victim-facing command-and-control servers and higher-tier intermediary and backend systems. Reporting describes four distinct activity clusters leveraging CastleLoader, including TAG-160 and TAG-161. TAG-160 has targeted the logistics sector using phishing and ClickFix techniques, including impersonation of logistics firms and abuse of freight-matching platforms. TAG-161 has used Booking.com-themed ClickFix campaigns. Additional GrayBravo activity has used malvertising and fake software update lures. Reported targeting includes a primary focus on the United States, with victims in sectors including logistics, financial services, U.S. government agencies, critical infrastructure, IT firms, and logistics companies.