Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

CastleBot

CastleBot is a malware framework and loader operation, commonly described as a Malware-as-a-Service offering. Reporting states it comprises three components: a shellcode stager/downloader, a loader, and a core backdoor. The loader injects a core module that contacts command-and-control infrastructure to retrieve tasks and to download and execute additional DLL, EXE, and PE payloads. CastleBot has been observed dropping follow-on malware including infostealers, Rhadamanthys, and WARMCOOKIE. IBM X-Force specifically reported CASTLEBOT distributing WARMCOOKIE.

CastleBot is associated with the threat actor tracked as TAG-150 and later named GrayBravo by Recorded Future. Content states this actor has been active since at least March 2025 and has developed multiple custom malware families including CastleLoader, CastleBot, and CastleRAT. CastleBot and related tooling have been spread through Cloudflare-themed ClickFix social-engineering attacks and bogus GitHub repositories masquerading as legitimate software, with victims tricked into executing malicious PowerShell commands themselves.

Operationally, CastleBot is linked to a broader GrayBravo/TAG-150 ecosystem using multi-tiered infrastructure. The content does not provide CastleBot-specific C2 indicators, but places it within infrastructure also used for other GrayBravo malware families. One technical note in the content states that Pure Crypter and CastleBot patched NtManageHotPatch in memory to return STATUS_NOT_SUPPORTED in order to restore classic RunPE and Early Bird reliability on Windows 11 24H2 / Server 2022 24H2 systems after Microsoft hotpatch-related mitigations.

High-confidence behaviors directly mentioned in the content are: staged infection architecture; downloader/loader/backdoor functionality; task retrieval from C2; download-and-execute of DLL/EXE/PE payloads; use in MaaS-style operations; propagation via ClickFix and fake GitHub repositories; and association with TAG-150/GrayBravo. Targeting is not uniquely defined for CastleBot itself in the content, though the associated actor has targeted victims through broad social-engineering campaigns and has been linked elsewhere in the same ecosystem to logistics-themed and other lures.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
GrayBravo

Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT...

via recorded future blogrecordedfuture.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

Infections are most commonly initiated through Cloudflare-themed “ClickFix” phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications.

Execution

2 techniques
T1106Native APIEvidence1

Bumblebee’s injection module ( dij command for DLL Injection) dynamically resolves NtQueueApcThread at runtime and uses it to inject a payload DLL... While the static import of NtQueueApcThread is flagged by multiple scanners, a runtime GetProcAddress lookup on ntdll.dll is invisible to import-table analysis.

T1204User ExecutionEvidence1

Both versions spread by tricking users into pasting malicious commands through a technique called ClickFix, which uses fake fixes and login prompts.

Privilege Escalation

2 techniques
T1055Process InjectionEvidence1

Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.

T1055.004Asynchronous Procedure CallEvidence1

Attackers spawn a process suspended, queue an APC into its main thread before the AV/EDR’s user-mode hooks have loaded, then resume. The payload runs before the security product begins.

Stealth

2 techniques
T1055Process InjectionEvidence1

Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.

T1055.004Asynchronous Procedure CallEvidence1

Attackers spawn a process suspended, queue an APC into its main thread before the AV/EDR’s user-mode hooks have loaded, then resume. The payload runs before the security product begins.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

The criminals use Tox Chat, the encrypted comms service that is becoming the tool favored by some malware operators for command and control

T1105Ingress Tool TransferEvidence1

These malware families are frequently observed as initial infection vectors that deliver a wide range of secondary payloads... CastleRAT's core functionality consists of... downloading and executing additional payloads.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
medium sudosiddharthsNews
May 20, 2026
Asynchronous Process Call Injection: Resurgence in 2024-26 | by Siddharth Avi Singh | May, 2026 | Medium

Malware that patches NtManageHotPatch in memory to bypass Windows mitigation and restore Early Bird APC and RunPE execution reliability.

Read more
risky biz rssNews
Dec 10, 2025
Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers

Bot malware developed by the GrayBravo threat actor, likely used for automated malicious activities.

Read more
recorded future blogNews
Dec 9, 2025
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries

CastleBot is a custom malware family developed by GrayBravo, likely functioning as a botnet component within their ecosystem.

Read more
the hacker newsNews
Dec 9, 2025
Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure

CastleBot is a modular malware framework consisting of a stager/downloader, loader, and a core backdoor, used to inject modules and retrieve tasks from C2 servers.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.