Four different clusters of threat activity have been observed utilizing a malware loader known as CastleLoader, reinforcing previous assessments that this tool is being made available to other threat actors under a malware-as-a-service (MaaS) model.
The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future’s Insikt Group, which previously tracked it as TAG-150.
GrayBravo is “characterized by rapid development cycles, technological sophistication, responsiveness to public reporting, and an expansive and evolving infrastructure,” the Mastercard-owned company said in an analysis released today.
Notable tools in the threat actor’s toolset include a remote access Trojan called CastleRAT and a malware framework called CastleBot. CastleBot consists of three components: a shellcode stager/downloader, a loader, and a core backdoor.
The CastleBot loader is responsible for injecting core modules. This module has the ability to connect to a command and control (C2) server and retrieve tasks that allow DLL, EXE, and PE (portable executable) payloads to be downloaded and executed. The malware family distributed through this framework also includes other loaders such as DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and even Hijack Loader.
Recorded Future’s latest analysis reveals four clusters of activity, each operating with different tactics.
Cluster 1 (TAG-160) targets the logistics sector using phishing and ClickFix techniques to distribute CastleLoader (active since at least March 2025) Cluster 2 (TAG-161) uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0 (active since at least 2025) Active since June) Cluster 3 uses infrastructure impersonating Booking.com ClickFix as a dead drop resolver to distribute CastleRAT via CastleLoader and Steam Community Page (active since at least March 2025) Cluster 4 uses malvertising and fake software updates Cluster 4 uses Zabbix and Zabbix to distribute CastleLoader and NetSupport RAT Lures under the guise of RVTools (active since at least April 2025)
It turns out that GrayBravo leverages a multi-layered infrastructure to support its operations. This includes Tier 1 victim C2 servers associated with malware families such as CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE, as well as multiple VPS servers likely acting as backups.
Attacks launched by TAG-160 are also notorious for using fraudulent or compromised accounts created on freight matching platforms such as DAT Freight & Analytics and Loadlink Technologies to increase the credibility of phishing campaigns. Recorded Future added that this activity demonstrates a deep understanding of industry operations, impersonating legitimate logistics companies, abusing cargo matching platforms, and mirroring genuine communications to increase deception and influence.
We assess with low confidence that this activity may be related to another unexplained cluster that targeted transportation and logistics companies in North America last year to distribute various malware families.
Recorded Future said, “GrayBravo has significantly expanded its user base, as evidenced by the increasing number of attackers and operational clusters leveraging its CastleLoader malware.” “This trend highlights that technologically advanced and adaptive tools, especially those from threat actors with GrayBravo’s reputation, can rapidly proliferate within the cybercrime ecosystem if they prove effective.”
Source link
