GrayBravo's CastleLoader Powers Four Attack Clusters

Cybercriminal service growth: four distinct threat clusters are now using CastleLoader, reinforcing evidence that GrayBravo is operating a malware-as-a-service model.

Who is GrayBravo

• Tracked by Recorded Future's Insikt Group (formerly TAG-150), first seen in early 2025
• Known for rapid iteration, technical depth, quick reactions to public reporting, and a broad, evolving infrastructure

Tooling and payload delivery

• Core stack includes CastleRAT and the CastleBot framework (shellcode stager/downloader, loader, and core backdoor)
• The CastleBot loader injects a core module that reaches C2 to fetch tasks and run DLL, EXE, and PE payloads
• Payloads observed: DeerStealer, RedLine Stealer, StealC, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and other loaders such as Hijack Loader

Four active clusters tied to CastleLoader

• Cluster 1 (TAG-160): Phishing and ClickFix against logistics organizations to deploy CastleLoader (active since at least March 2025)
• Cluster 2 (TAG-161): Booking.com-themed ClickFix campaigns delivering CastleLoader and Matanbuchus 3.0 (active since at least June 2025)
• Cluster 3: Infrastructure mimics Booking.com; combines ClickFix with Steam Community dead drop pages to deliver CastleRAT via CastleLoader (active since at least March 2025)
• Cluster 4: Malvertising and fake update lures posing as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT (active since at least April 2025)

Infrastructure at scale

• Multi-tier setup with Tier 1 victim-facing C2s for CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE
• Multiple VPS nodes likely acting as backups to maintain resilience

Logistics sector focus and tradecraft

• TAG-160 uses fraudulent or compromised accounts on freight-matching platforms (DAT Freight & Analytics, Loadlink Technologies) to boost phishing credibility
• Operations reflect deep logistics domain knowledge: impersonating real firms, exploiting freight marketplaces, and mirroring authentic communications
• Low-confidence link to a prior, unattributed cluster that targeted North American transportation/logistics last year with multiple malware families

Adoption trend

• Recorded Future notes accelerated uptake: more threat actors and clusters leveraging CastleLoader as its advanced, adaptive tooling proves effective and spreads in the cybercriminal ecosystem

New delivery technique spotted by Blackpoint

• Recent campaigns pivot from ZIP + AutoIt to a Python dropper executed via ClickFix
• The ClickFix command stages a small archive in AppData, then uses a bundled pythonw.exe to run a minimal Python stager that reconstructs and launches CastleLoader
• Recorded Future attributes this activity to the increasingly active TAG-160 cluster targeting logistics with credible spoofed emails and freight-platform abuse

Source: The Hacker News