Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future’s Insikt Group, which was previously tracking it as TAG-150.
GrayBravo is “characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure,” the Mastercard-owned company said in an analysis published today.
Some of the notable tools in the threat actor’s toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor.
The CastleBot loader is responsible for injecting the core module, which is equipped to contact its command-and-control (C2) server to retrieve tasks that enable it to download and execute DLL, EXE, and PE (portable executable) payloads. Some of the malware families distributed via this framework are DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and even other loaders like Hijack Loader.
Recorded Future’s latest analysis has uncovered four clusters of activity, each operating with distinct tactics –
- Cluster 1 (TAG-160), which targets the logistics sector using phishing and ClickFix techniques to distribute CastleLoader (Active since at least March 2025)
- Cluster 2 (TAG-161), which uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0 (Active since at least June 2025)
- Cluster 3, which uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader (Active since at least March 2025)
- Cluster 4, which uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT (Active since at least April 2025)
GrayBravo has been found to leverage a multi-tiered infrastructure to support its operations. This includes Tier 1 victim-facing C2 servers associated with malware families like CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE, as well as multiple VPS servers that likely operate as backups.
The attacks mounted by TAG-160 are also notable for using fraudulent or compromised accounts created on freight-matching platforms like DAT Freight & Analytics and Loadlink Technologies to enhance the credibility of its phishing campaigns. The activity, Recorded Future added, illustrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact.
It’s been…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
