Multiple threat activity clusters are exploiting CastleLoader malware under a malware-as-a-service model, with GrayBravo being the primary actor. These groups employ diverse tactics, including phishing, malvertising, and infrastructure impersonation, to target sectors like logistics and transport. #GrayBravo #CastleLoader #CastleRAT #MaaS
Keypoints
- GrayBravo operates through four distinct activity clusters using CastleLoader malware.
- The threat actor employs various tools such as CastleRAT and CastleBot to carry out attacks.
- The clusters target specific industries like logistics, using tactics such as phishing and fake software updates.
- GrayBravo’s infrastructure includes multiple C2 servers and VPS backups to support operations.
- The actor’s sophisticated tactics include impersonating legitimate companies and exploiting freight platforms.
Read More: https://thehackernews.com/2025/12/four-threat-clusters-using-castleloader.html