A new malware campaign using a Python-based delivery chain to deploy the emerging CastleLoader family has been discovered by cybersecurity researchers.
According to Blackpoint, the activity revolves around the use of ClickFix social engineering prompts that convince users to open the Windows Run dialog and execute a command that appears to be part of a harmless verification step.
That single action initiates a multi-stage sequence that quietly downloads, decrypts and runs an attacker-controlled payload in memory.
What’s new in this new campaign is the replacement of earlier AutoIt droppers with a compact Python loader. According to the researchers, the ClickFix command launches a hidden conhost.exe process that uses built-in Windows tools to fetch a small tar archive, unpack it into AppData and run a windowless Python interpreter.
The bundled interpreter executes a compiled Python bytecode file that reconstructs and decrypts CastleLoader shellcode entirely in memory. Long used by this malware family, this technique avoids placing a traditional executable on disk.
The shellcode that follows retrieves the final stage using the hardcoded GoogeBot user agent and a staging path consistent with prior CastleLoader operations.
It then applies PEB Walking – a technique that scans the Process Environment Block (PEB) to locate loaded modules and resolve function addresses without using normal imports – to resolve required APIs at runtime and decrypts the downloaded payload using the first 16 bytes as an XOR key before running it directly in memory.
Read more on ClickFix-based campaigns: ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
Blackpoint linked the activity to CastleLoader based on overlapping network markers and loader behavior.
The GoogeBot user agent has appeared repeatedly in 2025 CastleLoader traffic and the /service/download/ path mirrors previous staging infrastructure.
The malware’s reliance on hashed DLL names, hashed API identifiers and PEB Walking also aligns with earlier samples (though this variant swaps AutoIt stagers for a Python script).
Blackpoint highlighted several steps organizations can take to limit exposure:
-
Educate users about ClickFix lures that instruct them to run verification commands
-
Restrict access to the Run dialog for users who do not require it
-
Limit cmd.exe, PowerShell and Python access where operationally unnecessary
-
Monitor for unusual LOLBin sequences involving conhost.exe, cmd.exe or pythonw.exe
-
Track DNS activity for suspicious or newly registered domains
-
Watch for Python binaries executed from atypical locations, such as AppData
The company concluded that although the final payload was unavailable for analysis, every observed stage aligned with CastleLoader’s established methods.
