Researchers have now identified four distinct threat activity clusters associated with the malware loader CastleLoader, bolstering previous estimates that the tool was being supplied to multiple cybercriminal groups through a malware-as-a-service model. In this, the operator of this ecosystem has been dubbed GrayBravo by Recorded Future’s Insikt Group, which had previously tracked the same actor under the identifier TAG-150.
CastleLoader emerged in early 2025 and has since evolved into a dynamically developing malware distribution apparatus. Recorded Future’s latest analysis underscores GrayBravo’s technical sophistication, the ability to promptly adapt operations after public reporting, and the growing infrastructure currently supporting multiple threat campaigns.
GrayBravo’s toolkit consists of several components, including a remote access trojan dubbed CastleRAT and a modular malware framework named CastleBot. CastleBot is composed of three interconnected main elements: a shellcode stager, a loader, and a core backdoor. The loader injects the backdoor into memory, following which the malware communicates with command-and-control servers to receive instructions. These further enable downloading and executing a variety of payloads in the form of DLL, EXE, and PE files. CastleLoader has been used to distribute various well-known malware families, including RedLine Stealer, StealC, DeerStealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and other loaders, such as Hijack Loader, which demonstrates how well the C
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: