Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future’s Insikt Group, which was previously tracking it as TAG-150. The malware first emerged in early 2025.
GrayBravo is “characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure,” the Mastercard-owned company said in an analysis published today.
Some of the notable tools in the threat actor’s toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor.
The CastleBot loader is responsible for injecting the core module, which is equipped to contact its command-and-control (C2) server to retrieve tasks that enable it to download and execute DLL, EXE, and PE (portable executable) payloads. Some of the malware families distributed via this framework are DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and even other loaders like Hijack Loader.
Recorded Future’s latest analysis has uncovered four clusters of activity, each operating with distinct tactics –
- Cluster 1 (TAG-160), which targets the logistics sector using phishing and ClickFix techniques to distribute CastleLoader (Active since at least March 2025)
- Cluster 2 (TAG-161), which uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0 (Active since at least June 2025)
- Cluster 3, which uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader (Active since at least March 2025)
- Cluster 4, which uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT (Active since at least April 2025)
GrayBravo has been found to leverage a multi-tiered infrastructure to support its operations. This includes Tier 1 victim-facing C2 servers associated with malware families like CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE, as well as multiple VPS servers that likely operate as backups.
The attacks mounted by TAG-160 are also notable for using fraudulent or compromised accounts created on freight-matching platforms like DAT Freight & Analytics and Loadlink Technologies to enhance the credibility of its phishing campaigns. The activity, Recorded Future added, illustrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact.
It’s been assessed with low confidence that the activity could be related to another unattributed cluster that targeted transportation and logistics companies in North America last year to distribute various malware families.
“GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware,” Recorded Future said. “This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective.”
The development comes as Blackpoint detailed a Python dropper-based attack chain that uses ClickFix techniques to distribute the CastleLoader, shifting from earlier campaigns that used a ZIP archive containing AutoIt scripts.
“In this case, the ClickFix command downloaded a small archive and staged its contents inside the user’s AppData directory before invoking a bundled copy of pythonw.exe to execute one of the extracted files,” security researcher Sam Decker said. “That script served as a simple Python stager whose only job was to rebuild and execute a CastleLoader payload.”
In a statement shared with The Hacker News, Recorded Future said the campaign outlined by Blackpoint corresponds to the “increasingly active” TAG-160 cluster. “The actors appear to be highly targeted, possess significant domain knowledge, spoof legitimate logistics-related emails, and exploit freight-matching platforms to engage their targets,” it said.
(The story was updated after publication to include a response from Recorded Future.)
