Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure

Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure

Briefly

"Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future's Insikt Group, which was previously tracking it as TAG-150. GrayBravo is "characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure," the Mastercard-owned company said in an analysis published today."

"Some of the notable tools in the threat actor's toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor. The CastleBot loader is responsible for injecting the core module, which is equipped to contact its command-and-control (C2) server to retrieve tasks that enable it to download and execute DLL, EXE, and PE (portable executable) payloads."

"Cluster 1 (TAG-160), which targets the logistics sector using phishing and ClickFix techniques to distribute CastleLoader (Active since at least March 2025) Cluster 2 (TAG-161), which uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0 (Active since at least June 2025) Cluster 3, which uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader (Active since at least March 2025)"