CASTLELOADER (Malware Family)

CASTLELOADER

CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware.

References

2026-03-10 ⋅ Check Point Research ⋅ Check Point Research
Iranian MOIS Actors & the Cyber Crime Connection
Qilin Tsundere CASTLELOADER Rhadamanthys

2026-02-11 ⋅ Bitdefender ⋅ Bogdan Ionut Lazar, Janos Gergo Szeles, Manuel Dragomir
LummaStealer Is Getting a Second Life Alongside CastleLoader
CASTLELOADER Lumma Stealer

2026-02-02 ⋅ ANY.RUN ⋅ ANY.RUN
CastleLoader: Malware Overview
CASTLELOADER

2026-01-13 ⋅ ANY.RUN ⋅ ANY.RUN
CastleLoader Analysis: A Deep Dive into Stealthy Loader Targeting Government Sector
CASTLELOADER

2025-12-09 ⋅ BlackPoint ⋅ Sam Decker
Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery
CASTLELOADER

2025-12-09 ⋅ Recorded Future ⋅ Insikt Group
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
CASTLELOADER Matanbuchus NightshadeC2 GrayBravo

2025-08-08 ⋅ PolySwarm Tech Team ⋅ The Hivemind
CastleLoader
CASTLELOADER

2025-08-06 ⋅ IBM X-Force ⋅ Golo Mühr
Dissecting the CastleBot Malware-as-a-Service operation
CASTLELOADER NightshadeC2

2025-07-24 ⋅ Cypro ⋅ Christian Yng
CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing
CASTLELOADER

2025-07-23 ⋅ Catalyst ⋅ Catalyst
Understanding Current CastleLoader Campaigns
CASTLELOADER

There is no Yara-Signature yet.

CASTLELOADER Propose Change

References

CASTLELOADER