GrayBravo’s CastleLoader: Unveiling Four Distinct Cyber Threat Clusters
Recent cybersecurity analyses have identified four unique threat activity clusters utilizing a sophisticated malware loader known as CastleLoader. This development underscores the growing concern that CastleLoader is being offered to various cybercriminals under a malware-as-a-service (MaaS) model.
The entity behind CastleLoader, now designated as GrayBravo by Recorded Future’s Insikt Group (previously tracked as TAG-150), is noted for its rapid development cycles, technical prowess, responsiveness to public disclosures, and an expansive, evolving infrastructure.
GrayBravo’s Arsenal:
GrayBravo’s toolkit includes notable components such as:
– CastleRAT: A remote access trojan capable of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell.
– CastleBot Framework: Comprising three main components:
– Shellcode Stager/Downloader: Initiates the infection chain by downloading the necessary payloads.
– Loader: Injects the core module into the system.
– Core Backdoor: Communicates with command-and-control (C2) servers to receive tasks, enabling the download and execution of various payloads, including DLL, EXE, and PE files.
Through this framework, GrayBravo has distributed multiple malware families, such as DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and other loaders like Hijack Loader.
Identified Threat Clusters:
Recorded Future’s analysis has delineated four distinct clusters of activity, each employing unique tactics:
1. Cluster 1 (TAG-160): Active since at least March 2025, this cluster targets the logistics sector using phishing and ClickFix techniques to disseminate CastleLoader.
2. Cluster 2 (TAG-161): Since June 2025, this group has utilized Booking.com-themed ClickFix campaigns to distribute CastleLoader alongside Matanbuchus 3.0.
3. Cluster 3: Operating since March 2025, this cluster employs infrastructure impersonating Booking.com, combined with ClickFix and Steam Community pages as dead drop resolvers, to deliver CastleRAT via CastleLoader.
4. Cluster 4: Active since April 2025, this group uses malvertising and fake software update lures, masquerading as tools like Zabbix and RVTools, to distribute CastleLoader and NetSupport RAT.
Infrastructure and Tactics:
GrayBravo’s operations are supported by a multi-tiered infrastructure, including:
– Tier 1: Victim-facing C2 servers associated with malware families like CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE.
– Backup VPS Servers: Multiple virtual private servers likely serving as backups to ensure operational continuity.
Notably, TAG-160’s attacks have leveraged fraudulent or compromised accounts on freight-matching platforms such as DAT Freight & Analytics and Loadlink Technologies. This strategy enhances the credibility of phishing campaigns by impersonating legitimate logistics firms and exploiting industry-specific platforms. Such tactics demonstrate a deep understanding of industry operations, allowing attackers to mirror authentic communications and increase the effectiveness of their deceptive campaigns.
There is a low-confidence assessment suggesting a potential link between this activity and another unattributed cluster that targeted transportation and logistics companies in North America the previous year, distributing various malware families.
Implications:
The expansion of GrayBravo’s user base, evidenced by the increasing number of threat actors and operational clusters leveraging CastleLoader, highlights the rapid proliferation of technically advanced and adaptive tools within the cybercriminal ecosystem. This trend underscores the need for heightened vigilance and robust cybersecurity measures to counteract the evolving threat landscape.
