CastleLoader Analysis: A Deep Dive into Stealthy Loader Targeting Government Sector

ANY.RUN performed a full dynamic and static analysis of CastleLoader, revealing a multi-stage delivery (Inno Setup → AutoIt → process hollowing into jsc.exe) that injects a PE-only-in-memory payload used to deliver information stealers and RATs against government and critical infrastructure targets. The report includes an automated parser to extract configuration strings, published IOCs (including C2 94[.]159[.]113[.]32 and file hashes), and a YARA rule to detect CastleLoader activity. #CastleLoader #ANY.RUN

Keypoints

CastleLoader is a stealthy first-stage loader observed in campaigns targeting government entities and multiple industries, spreading via social engineering (ClickFix) and installers.
The malware uses a multi-stage chain—Inno Setup installer → obfuscated AutoIt script (freely.a3x) → process hollowing into jsc.exe—to execute the final payload in memory only.
Process hollowing into jsc.exe avoids typical NtUnmapViewOfSection steps, reducing visibility to EDR and process-monitoring tools while preserving normal loader behavior.
ANY.RUN extracted and decrypted the loader’s runtime configuration (C2, User-Agent, Mutex, endpoints) using a custom parser that automates XOR-based string decoding from a memory dump.
Extracted IOCs include C2 94[.]159[.]113[.]32, the URL http://94[.]159[.]113[.]32/service, specific file hashes for the installer, AutoIt bundle, and payload, plus a YARA rule for detection.
The analysis demonstrates that static signatures and simple behavioral heuristics are ineffective against this execution model, highlighting the need for real-time sandbox-derived threat intelligence.

MITRE Techniques

[T1059.010 ] AutoIt – Execution via an AutoIt script used as an intermediate stage to prepare the environment and hand over control (‘AutoIt3.exe and the compiled script freely.a3x’).
[T1027.002 ] Software Packing – Multi-stage delivery and packing using an Inno Setup installer as a container to conceal components (‘The original Inno Setup installer turned out to be a container’).
[T1055.012 ] Process Hollowing – Injecting a PE image into a suspended jsc.exe process and replacing the PEB ImageBaseAddress to transfer execution (‘a PE file is injected into the jsc.exe process’).
[T1106 ] Native API – Dynamic API resolution by hashing export names and resolving required WinAPI calls at runtime (‘each exported character goes through an embedded hash function…the function resolves the required APIs by hash’).
[T1140 ] Deobfuscate/Decode Files or Information – Runtime XOR-based decryption of configuration strings (C2, User-Agent, Mutex) stored as UTF-16LE DWORDs on the stack (‘XOR decoding of configuration strings with a cyclic key at the stack’).
[T1082 ] System Information Discovery – Gathering host details used in configuration and telemetry (e.g., windows_version, machine_id, computer name) (‘E33F4C: windows_version E3417F: machine_id’).
[T1071.001 ] Web Protocols – Command-and-control over HTTP to a hardcoded service endpoint (‘http://94[.]159[.]113[.]32/service’).

Indicators of Compromise

[File Hashes ] Analyzed sample SHA256s – DFAF277D54C1B1CF5A3AF80783ED878CAC152FF2C52DBF17FB05A7795FE29E79 (payload.exe), 8B7C1657F4D5CF0CC82D68C1F1A385ADF0DE27D46FC544BBA249698E6B427856 (installer), and 1 more hash
[File Names ] Delivered components extracted from installer – 8b7c1657f4d5cf0cc82d68c1f1a385adf0de27d46fc544bba249698e6b427856.exe (Inno Setup Installer), payload.exe (CastleLoader Core Module)
[IP Address ] C2 server – 94[.]159[.]113[.]32
[URL ] HTTP C2 endpoint – http://94[.]159[.]113[.]32/service
[Mutex ] Runtime synchronization identifier used by the loader – N3sBJNQKOyBSqzOgQSQVf9
[User-Agent ] Network fingerprints seen in configuration – gM7dczM61ejubNuJljRx, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36