Overview of CastleLoader Threat Activity
Recent investigations have identified four distinct threat clusters utilizing a malware loader known as CastleLoader. This finding reinforces earlier analyses suggesting that CastleLoader is being offered as a Malware-as-a-Service (MaaS), allowing various cybercriminals to exploit its features for their malicious activities.
Identifying GrayBravo
The group behind CastleLoader has been dubbed GrayBravo by Recorded Future’s Insikt Group, previously recognized as TAG-150. This team has garnered attention due to its rapid development cycles, technical prowess, and a flexible, expanding infrastructure, according to an analysis released by Mastercard’s cybersecurity division.
The Toolset of GrayBravo
GrayBravo’s arsenal includes various sophisticated malware tools, most notably a remote access trojan (RAT) named CastleRAT and a comprehensive framework called CastleBot. CastleBot incorporates three primary elements: a shellcode stager and downloader, a loader, and a core backdoor. This framework forms the backbone of their operations, allowing the threat actor to execute complex attacks.
Functionality of CastleBot
The CastleBot loader plays a critical role in the operation by injecting its core component, which can reach out to its command-and-control (C2) servers. This enables the loader to receive tasks that download and execute various payload types such as DLL, EXE, and PE files. Among the multitude of malware families that CastleBot is known to distribute are DeerStealer, RedLine Stealer, StealC Stealer, and different RATs like NetSupport RAT and SectopRAT, among others.
Analysis of Threat Activity Clusters
Recorded Future’s report highlights the activities of four distinct clusters, each deploying unique tactics:
- Cluster 1 (TAG-160): Targeting the logistics sector, this cluster utilizes phishing and ClickFix techniques to spread CastleLoader. It has been active since March 2025.
- Cluster 2 (TAG-161): This group’s campaigns leverage Booking.com-themed ClickFix strategies to distribute both CastleLoader and Matanbuchus 3.0, with operations noted since June 2025.
- Cluster 3: This faction mimics Booking.com infrastructure and employs ClickFix and Steam Community pages to deliver CastleRAT via CastleLoader, active since March 2025.
- Cluster 4: Using malvertising tactics and fake software updates claiming to be Zabbix and RVTools, this cluster distributes CastleLoader and NetSupport RAT, beginning its operations in April 2025.
Operational Infrastructure of GrayBravo
GrayBravo has built a multi-tiered operational infrastructure, which includes Tier 1 C2 servers directed at victims and linked with various malware families like CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE. In addition, multiple Virtual Private Servers (VPS) are likely used as backup systems to ensure the reliability of their operations.
Pillars of GrayBravo’s Strategy
The phishing strategies employed by TAG-160 stand out, particularly in their use of forged or compromised accounts on freight-matching platforms such as DAT Freight & Analytics and Loadlink Technologies. This approach elevates the credibility of their phishing efforts, illustrating an intricate understanding of the logistics industry, and enabling them to effectively impersonate legitimate companies.
Link to Other Cyber Threats
While there’s low confidence in direct connections, the activity of GrayBravo may be related to a previously unlinked operation targeting transportation and logistics firms in North America last year, which aimed to deliver various malware types.
The Evolution of GrayBravo’s Reach
GrayBravo’s considerable growth is evident through its expanding user base and the increasing number of threat actors and operational clusters that have started to use the CastleLoader malware. This trend highlights the formidable nature of GrayBravo’s technology, which can quickly disseminate throughout the cybercriminal landscape once its effectiveness is established.
