SYMBOLCOMMON_NAMEaka. SYNONYMS
win.castleloader (Back to overview)

CASTLELOADER

CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware.

References
2026-02-11BitdefenderBogdan Ionut Lazar, Janos Gergo Szeles, Manuel Dragomir
LummaStealer Is Getting a Second Life Alongside CastleLoader
CASTLELOADER Lumma Stealer
2025-12-09BlackPointSam Decker
Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery
CASTLELOADER
2025-07-23CatalystCatalyst
Understanding Current CastleLoader Campaigns
CASTLELOADER

There is no Yara-Signature yet.