Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure
Summary:
Insikt Group has rebranded the technically sophisticated threat actor TAG-150 as GrayBravo, confirming its operation of a Malware-as-a-Service (MaaS) ecosystem centered around the custom malware families CastleLoader, CastleBot, and the newly discovered CastleRAT (a remote access trojan with C and Python variants). GrayBravo exhibits rapid development, extensive multi-tiered infrastructure, and high adaptability. The assessment of a MaaS model is reinforced by the identification of four distinct activity clusters, believed to be potential customers or affiliates, all utilizing CastleLoader but employing unique tactics and targeting.
Key Activity Clusters
Security Officer Comments:
GrayBravo exhibits a mature and robust technical foundation centered on its custom malware and multi-layered infrastructure. The core malware, CastleRAT, is a sophisticated Remote Access Trojan that uses a custom, RC4-encrypted binary protocol for communication, with its C variant including credential theft and keylogging capabilities. Analysis reveals a redundancy strategy in its C2 operations, where compromised hosts connect simultaneously to multiple C2 servers all linked by the same hard-coded RC4 keys, signifying a highly coordinated and resilient operational model. This infrastructure is extensive (Tier 1 to Tier 4) and overlaps with other malicious activity, evidenced by CastleLoader C2 domains also being associated with brand impersonation and hosting different threats like the LummaC2 infostealer, which strongly reinforces the assessment that GrayBravo operates a widespread Malware-as-a-Service (MaaS) ecosystem.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/12/four-threat-clusters-using-castleloader.html
Insikt Group has rebranded the technically sophisticated threat actor TAG-150 as GrayBravo, confirming its operation of a Malware-as-a-Service (MaaS) ecosystem centered around the custom malware families CastleLoader, CastleBot, and the newly discovered CastleRAT (a remote access trojan with C and Python variants). GrayBravo exhibits rapid development, extensive multi-tiered infrastructure, and high adaptability. The assessment of a MaaS model is reinforced by the identification of four distinct activity clusters, believed to be potential customers or affiliates, all utilizing CastleLoader but employing unique tactics and targeting.
Key Activity Clusters
- TAG-160 (Logistics Focus): This cluster is highly targeted, impersonating logistics companies like England Logistics using typosquatted domains and spoofed emails. It uses the ClickFix social engineering technique to deliver CastleLoader and other payloads and has been observed exploiting compromised infrastructure and maintaining fraudulent accounts on freight-matching platforms (DAT and Loadlink) to enhance credibility and gather intelligence.
- TAG-161: This cluster uses Booking[.]com-themed ClickFix lures to deliver CastleLoader alongside the Matanbuchus downloader MaaS. This cluster primarily relies on threat-actor-controlled infrastructure and utilizes previously unseen, dedicated Phishing Email Management Tooling hosted across specific Autonomous Systems linked to the BEARHOST bulletproof hosting network.
Security Officer Comments:
GrayBravo exhibits a mature and robust technical foundation centered on its custom malware and multi-layered infrastructure. The core malware, CastleRAT, is a sophisticated Remote Access Trojan that uses a custom, RC4-encrypted binary protocol for communication, with its C variant including credential theft and keylogging capabilities. Analysis reveals a redundancy strategy in its C2 operations, where compromised hosts connect simultaneously to multiple C2 servers all linked by the same hard-coded RC4 keys, signifying a highly coordinated and resilient operational model. This infrastructure is extensive (Tier 1 to Tier 4) and overlaps with other malicious activity, evidenced by CastleLoader C2 domains also being associated with brand impersonation and hosting different threats like the LummaC2 infostealer, which strongly reinforces the assessment that GrayBravo operates a widespread Malware-as-a-Service (MaaS) ecosystem.
Suggested Corrections:
- Block IoCs and Restrict LISs: Immediately block all known IP addresses and domains associated with CastleLoader and CastleRAT, and implement network controls to flag or restrict connections to unusual legitimate internet services, like Pastebin, which are often abused for C2.
- Enforce Email and ClickFix Defense: Deploy advanced email filtering to block messages using typosquatted domains and specifically those employing the ClickFix technique, which leads to the execution of malware.
- Prioritize Castle Malware Detection: Deploy updated YARA/Snort/Sigma rules for the custom malware families, particularly CastleRAT and its RC4-encrypted binary protocol, to detect infections that bypass traditional signature-based security.
- Monitor for Compromised Platforms: Monitor for and audit suspicious activity on legitimate platforms, as compromised accounts are used by affiliates to launch highly credible, targeted spearphishing campaigns.
Link(s):
https://thehackernews.com/2025/12/four-threat-clusters-using-castleloader.html