Recent research has revealed the existence of four distinct threat activity groups that are leveraging a malware loader known as CastleLoader. This evidence reinforces previous assessment that the tool is offered to other cybercriminals under a malware-as-a-service (MaaS) model.
The threat actor behind CastleLoader has been identified by Recorded Future’s Insikt Group as GrayBravo, previously tracked as TAG-150.
GrayBravo’s Profile
GrayBravo is a threat actor characterized by:
- Rapid development cycles.
- Technical sophistication.
- Responsiveness to public reports.
- An expansive and constantly evolving infrastructure.
Tools and Frameworks
GrayBravo’s toolset includes several key pieces of malware:
- CastleRAT: A remote access trojan (RAT).
- CastleBot: A malware framework consisting of three components: a shellcode stager/downloader, a loader, and a central backdoor.
The CastleBot loader is responsible for injecting the core module, which communicates with its command and control (C2) server to retrieve tasks. This allows you to download and run DLL, EXE and PE type payloads.
Malware Distributed by CastleLoader
Through this framework, numerous malware families have been distributed, including: *DeerStealer *RedLine Stealer
- StealC Stealer
- NetSupport RAT
- SectopRAT *MonsterV2
- WARM COOKIE
- Other loaders like Hijack Loader
Four Activity Clusters Identified
Recorded Future’s most recent analysis has uncovered four distinct clusters of activity operating with specific tactics to distribute CastleLoader:
- Cluster 1 (TAG-160): Attacks the logistics sector using phishing and ClickFix techniques to distribute CastleLoader. This cluster has been active since at least March 2025.
- Cluster 2 (TAG-161): Uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0. Active since at least June 2025.
- Cluster 3: Employs infrastructure that impersonates Booking.com along with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. Active since at least March 2025.
- Cluster 4: Uses malvertising and fake software update lures impersonating Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. Active since at least April 2025.
Sophistication in Attacks on the Logistics Sector
The TAG-160 cluster attacks are particularly notable for their sophistication. They use fraudulent or compromised accounts created on freight-matching platforms such as DAT Freight & Analytics and Loadlink Technologies to increase the credibility of their phishing campaigns.
This activity demonstrates deep knowledge of industry operations, impersonating legitimate logistics companies, exploiting freight-matching platforms, and replicating authentic communications to enhance the effectiveness of their deceptions.
Conclusions
GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters using its CastleLoader malware. This trend highlights how technically advanced and adaptable tools, especially from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once they prove effective.