Threat Research

GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries

RecordedFuture
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries

GrayBravo (formerly TAG-150) operates a malware-as-a-service ecosystem centered on CastleLoader and CastleRAT, supporting multiple customer clusters that employ targeted ClickFix phishing, malvertising, fake updates, and platform impersonation (notably logistics and Booking.com themes). Defensive recommendations include blocking identified IPs/domains, monitoring unusual legitimate internet services (LISs) like Pastebin/Steam, and deploying YARA, Snort, and Sigma detection rules to detect current and historical infections. #GrayBravo #CastleLoader

Keypoints

  • Insikt Group identified GrayBravo as a rapidly evolving MaaS operator responsible for CastleLoader, CastleRAT, CastleBot, and related tooling, with multi-tiered C2 infrastructure and rapid development cycles.
  • Four distinct operational clusters were observed using CastleLoader: TAG-160 (logistics-focused, freight-platform abuse), TAG-161 (Booking.com-themed, delivering CastleLoader and Matanbuchus), a separate Booking.com impersonation cluster using Steam deaddrops, and a malvertising/fake-update cluster distributing signed MSI installers.
  • CastleRAT exists in C and Python variants using RC4-encrypted custom binary protocols, geolocation via ip-api[.]com, remote shell/command execution, file transfer, and (C variant) credential theft, keylogging, and screen capture.
  • TAG-160 leverages ClickFix phishing flows that spoof logistics companies and freight-matching platforms (DAT, Loadlink), including use of re-registered/typosquatted domains and compromised infrastructure to increase legitimacy.
  • Cluster 2 (TAG-161) uses Booking.com-themed ClickFix campaigns and novel phishing email management tooling (Redirect and Email Manager / Booking-Mailer panels) and was observed distributing Matanbuchus downloader alongside CastleLoader.
  • Mitigations recommended: block IoCs (IPs/domains), deploy Sigma/YARA/Snort rules from the report, monitor data exfiltration and suspicious LIS/third-party services, and use Recorded Future Intelligence Cloud for ongoing monitoring.

MITRE Techniques

  • [T1566 ] Phishing – Used to deliver ClickFix lures and spoofed emails targeting logistics and Booking.com victims. (‘impersonates logistics companies and leverages logistics-themed phishing lures’)
  • [T1189 ] Drive-by Compromise – Employed via malvertising and fake software/update installers to distribute CastleLoader and NetSupport RAT. (‘relies on malvertising campaigns and fake software installers’)
  • [T1204.002 ] User Execution: Malicious File – Attack chains instruct users to execute downloaded payloads (MSI installers, staged executables) as part of ClickFix and fake-update flows. (‘the victim unknowingly executes the command … downloads and extracts a payload archive’)
  • [T1204.004 ] User Execution: Malicious Copy and Paste – ClickFix flows require victims to copy/paste commands or links into a terminal or browser to complete the lure. (‘instructing them to copy and paste the link into a browser if it does not open directly’)
  • [T1059.001 ] PowerShell – PowerShell is used by loaders and CastleRAT variants for execution, sandbox evasion, and self-deletion. (‘tricks users into running a malicious PowerShell command … the Python variant of CastleRAT to delete itself’)
  • [T1059.010 ] AutoHotKey & AutoIT – Auto-execution/scripting frameworks observed in delivery and execution chains to run payloads and bypass controls. (‘repeatedly spawns new PowerShell processes to add Windows Defender exclusions … UAC prompt flooding loop’)
  • [T1583.001 ] Acquire Infrastructure: Domains – Threat actors register typosquatted, re-registered, and impersonating domains for phishing and C2 hosting. (‘re-registered domains previously associated with legitimate logistics companies’)
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Use of hosting providers and newly announced ASNs to host malicious panels and C2 infrastructure was observed. (‘operators likely acquired these IP addresses around the same time … assigned sequentially by the hosting provider’)
  • [T1583.004 ] Acquire Infrastructure: Server – Multi-tiered C2 servers (Tier 1–4) and adjacent IP allocations used for redundancy and backup C2s. (‘Tier 1 victim-facing C2 servers … Tier 2, Tier 3, and Tier 4 servers, the latter of which are likely used for backup purposes’)
  • [T1650 ] Resource Development: Acquire Access – Leveraging compromised legitimate accounts (email, freight platforms) to send phishing or create fraudulent listings on DAT and Loadlink. (‘compromised legitimate email accounts … compromised accounts on DAT Freight & Analytics and Loadlink’)
  • [T1588.002 ] Obtain Capabilities: Tool – Use and resale/rental of third-party MaaS tools (Matanbuchus, LummaC2) and custom loaders indicate procurement of capabilities. (‘Matanbuchus 3.0 as a monthly rental service … offered by BelialDemon’)
  • [T1586.002 ] Compromise Accounts: Email Accounts – Threat actors used compromised or burner SMTP accounts to send phishing at scale via mailbox credentials embedded in mailing panels. (‘the rambler email address … appeared within the page’s SMTP configuration with associated credentials’)
  • [T1036 ] Masquerading – Impersonation of logistics firms, Booking.com, DocuSign logos, and legitimate software to increase lure credibility. (‘incorporating the DocuSign logo … impersonates Booking.com’)
  • [T1090.002 ] Proxy: External Proxy – Use of proxy IPs and high-port proxy pools within mailing tools to route campaign traffic and obscure origins. (‘the DOM of the website found a range of proxy servers with varying high ports’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications and payload retrieval over HTTP/HTTPS, Cloudflare fronting, and web-based deaddrops (Steam profiles) for C2 resolution. (‘CastleLoader payload … reaches out to its C2 domain resolved through a Steam Community profile’)
  • [T1105 ] Ingress Tool Transfer – Stagers and loaders retrieve secondary payloads and installers from remote hosts, GitHub repositories, and legitimate file-sharing subdomains. (‘loader subsequently retrieved three intermediate payloads from the legitimate subdomain files-accl.zohoexternal.com’)
  • [T1005 ] Data from Local System – CastleRAT collects local data including browser credentials, keylogging, clipboard content, and arbitrary file exfiltration. (‘browser credential theft, keylogging, and screen capture functionality’)

Indicators of Compromise

  • [IP Address ] CastleRAT/Loader C2 and infrastructure – 104[.]225[.]129[.]171, 144[.]208[.]126[.]50, and many other C2 IPs listed in Appendix H (dozens more IPs recorded)
  • [Domain ] CastleLoader/C2, cluster and lure domains – programsbookss[.]com, oldspicenotsogood[.]shop, and 100+ additional malicious/impersonation domains referenced in Appendices A–G
  • [File Hash ] Artifact hashes for delivered payloads – newtag.zip SHA256: d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec (contains WinGup + malicious libcurl.dll), and additional YARA-listed hashes in Appendix L (several hashes)
  • [File Name ] Delivered payloads and installers – newtag.zip, libcurl.dll (DonutLoader), update.exe / signed MSI installers used in fake-update and GitHub distribution campaigns (multiple installer names observed)
  • [Email Address ] Phishing senders and spoofed accounts – no-reply[@]englandlogistics[.]com (spoofed), maritza.rmlogisticsol[@]gmail[.]com (Gmail used for impersonation), plus burner and compromised SMTP accounts found in mailing panels
  • [Steam Community URL ] Dead-drop resolvers used for dynamic C2 – hxxps://steamcommunity[.]com/id/krouvhsin34287f7h3 and other Steam profiles that resolve to C2 domains (multiple Steam profiles listed)

Read more: https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint