Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CastleLoader Activity Clusters Target Multiple Industries

0
Medium
Malwarelogisticscastleratcastlebotphishingcastleloadermalware-as-a-serviceclickfixbooking.comnetsupport ratsectopratwarmcookiematanbuchus
Published: Tue Dec 09 2025 (12/09/2025, 05:39:34 UTC)
Source: AlienVault OTX General

Description

GrayBravo operates a malware-as-a-service model distributing CastleLoader malware through multiple distinct activity clusters targeting various industries. These clusters use phishing campaigns impersonating logistics firms and Booking. com, leveraging the ClickFix technique to deliver malware. The threat actor demonstrates rapid evolution and technical sophistication, adapting quickly to public exposure. While no known exploits in the wild are reported, the malware's distribution methods and impersonation tactics pose significant risks to confidentiality and operational integrity. European organizations in logistics, travel, and e-commerce sectors are particularly at risk due to targeted impersonations. Mitigation requires tailored phishing defenses, enhanced email filtering, user training focused on specific lures, and monitoring for CastleLoader indicators. Countries with significant logistics and travel industries, such as Germany, the UK, France, and the Netherlands, are most likely affected. The threat is assessed as medium severity given its phishing-based delivery, lack of known exploits, and targeted scope.

AI-Powered Analysis

AILast updated: 12/09/2025, 12:58:01 UTC

Technical Analysis

The GrayBravo threat actor group operates a malware-as-a-service (MaaS) model centered around CastleLoader, a sophisticated malware family. Insikt Group has identified four distinct activity clusters linked to GrayBravo, each with unique tactics and victim profiles, indicating a modular and adaptable operation. Two notable clusters, TAG-160 and TAG-161, impersonate logistics companies and Booking.com respectively, using phishing campaigns that employ the ClickFix technique to distribute CastleLoader. ClickFix involves embedding malicious payloads or links within seemingly legitimate communications to bypass traditional security filters. The malware itself is part of a broader ecosystem including CastleRAT, CastleBot, and other tools, suggesting a comprehensive toolkit supporting various attack stages. GrayBravo’s rapid evolution and adaptability allow it to modify tactics in response to public exposure, increasing its resilience. Although no known exploits are currently reported in the wild, the phishing-based infection vector and impersonation of trusted brands increase the likelihood of successful compromise. The threat actor’s ties to the online persona “Sparja” and the wider cybercriminal ecosystem highlight potential collaboration and resource sharing, enhancing operational capabilities. The report underscores the importance of targeted defenses against these phishing lures and the need for continuous monitoring of CastleLoader-related activity.

Potential Impact

European organizations, especially those in logistics, travel, and e-commerce sectors, face significant risks from GrayBravo’s CastleLoader campaigns. Successful phishing attacks can lead to malware installation, resulting in data exfiltration, credential theft, and potential lateral movement within networks. This compromises confidentiality and integrity of sensitive business and customer data. Operational disruptions may occur if malware affects critical systems, impacting availability. The impersonation of well-known brands like Booking.com increases the likelihood of user interaction, raising the risk of initial compromise. Given the MaaS model, multiple organizations across industries could be targeted simultaneously, amplifying the threat’s scale. The adaptability of GrayBravo means defenses must continuously evolve to counter new tactics. For European entities, breaches could also have regulatory repercussions under GDPR due to potential data leaks. The medium severity reflects the balance between the threat’s sophistication and the reliance on phishing vectors, which can be mitigated with proper controls.

Mitigation Recommendations

1. Implement advanced email filtering solutions capable of detecting and blocking phishing emails that use brand impersonation and ClickFix techniques. 2. Conduct targeted user awareness training focusing on recognizing phishing lures related to logistics firms and Booking.com, emphasizing the risks of interacting with unexpected links or attachments. 3. Deploy endpoint detection and response (EDR) tools to identify and contain CastleLoader malware activity promptly. 4. Monitor network traffic for indicators of compromise associated with CastleLoader and related tools like CastleRAT and CastleBot. 5. Enforce multi-factor authentication (MFA) across all user accounts to reduce the impact of credential theft. 6. Maintain up-to-date threat intelligence feeds to stay informed about evolving GrayBravo tactics and indicators. 7. Establish incident response plans specifically addressing phishing and malware infections linked to MaaS operations. 8. Collaborate with industry peers and information sharing organizations to exchange intelligence on emerging threats and mitigation strategies. 9. Regularly audit and restrict permissions to limit malware lateral movement within networks. 10. Verify the authenticity of communications purporting to be from logistics or travel companies through out-of-band channels before acting on requests.

Affected Countries

GermanyGermany
United KingdomUnited Kingdom
FranceFrance
NetherlandsNetherlands
ItalyItaly
SpainSpain
Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries"]
Adversary
GrayBravo
Pulse Id
6937b6169bd435b2e3a0787e
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip185.149.146.118
ip185.196.9.222
ip185.196.10.8
ip185.196.9.80
ip192.153.57.125
ip45.155.249.121
ip77.83.207.55
ip104.225.129.171
ip144.208.126.50
ip147.45.177.127
ip168.100.8.84
ip178.17.57.102
ip178.17.57.103
ip178.17.57.153
ip185.125.50.125
ip185.156.248.24
ip185.196.11.171
ip185.208.158.250
ip185.236.20.154
ip185.39.19.164
ip185.39.19.180
ip185.39.19.181
ip185.39.19.94
ip192.109.138.102
ip192.124.178.74
ip194.76.227.242
ip195.149.146.118
ip195.85.115.44
ip31.58.50.160
ip31.58.87.132
ip45.11.180.174
ip45.11.180.198
ip45.11.183.165
ip45.11.183.19
ip45.11.183.45
ip45.134.26.41
ip45.135.232.149
ip45.144.53.62
ip45.61.136.81
ip64.52.80.121
ip67.217.228.198
ip77.90.153.43
ip78.153.155.131
ip79.132.130.148
ip79.132.131.200
ip80.64.18.245
ip80.77.25.114
ip80.77.25.239
ip80.77.25.88
ip85.192.49.6
ip85.208.84.115
ip85.208.84.65
ip87.120.93.167
ip88.214.50.83
ip91.202.233.132
ip91.202.233.250
ip94.141.122.164
ip77.83.207.56
ip192.109.138.103
ip37.230.62.235
ip85.208.84.242
ip89.185.84.211
ip94.159.113.123
ip94.159.113.32

Hash

ValueDescriptionCopy
hash35f81d066028f5e69508956bed79d3ee
hash4b139d1e079eb10ffd2543e22ea438dd
hasha0e6555acf7d7a273b76067f89884705
hashc581969dc1561794c9b0adedbf2ac492
hashf8fae59f47f269cb4ee50e701fddc76c
hash47edb5743df7747fccdcd64421dd64a92f24d1fc
hash634c051e17eec0345f0db57f364741603bd1929f
hash861fa0a2edec4b773852029abea4b03ba17f181d
hashae1a8e192b8416b72da711dbd8b32eaf80d788e3
hashf278f8326aa5d63161d6648b41e1b3b8ba077061
hash058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7
hash190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836
hash1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156
hash1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75
hash202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04
hash25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04
hash53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df
hash60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0
hash6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783
hash67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b
hash94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a
hash963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d
hashb45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2
hashcf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c
hashd87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec
hashe6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928
hashfb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c
hash07d4f827724ce6c1b7cfd4d555dee89bbb1a2430
hash4e25f8cd40b268cb76219e0d6fde475eb64a100b
hash5b259f453136165223116203984a65f95c960497
hashd5061cef69f20321ca9bf64dfeae73778888f931

Url

ValueDescriptionCopy
urlhttp://78.153.155.131/service/download/p2.tar
urlhttp://boiksal.com/upd.
urlhttps://catalyst.prodaft.com/public/report/understanding-current-castleloade
urlhttps://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/o
urlhttp://boiksal.com/upd
urlhttps://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview

Domain

ValueDescriptionCopy
domainalafair.net
domainalbafood.shop
domainalbalk.lol
domainanotherproject.icu
domainautryjones.com
domainbdeskthebest.shop
domainbestproxysale.shop
domainbestvpninfo.shop
domainbethschwier.com
domainbioskbd.com
domainblkiesf.com
domainboikfrs.com
domainboiksal.com
domainbookingnewprice109034.icu
domainbookingnewprice204167.icu
domaincampanyasoft.com
domaincastlppwnd.com
domaincdlfreightlogistics.com
domaincheckinastayverify.com
domaincheckinistayverify.com
domaincheckinstayverify.com
domaincheckistayverify.com
domainchecksstayverify.com
domaincheckystayverify.com
domainchessinthenight.lol
domaincik-ed.com
domaincking.com
domainclgenetics.shop
domainconfirmahotelastay.com
domainconfirmahotelstay.com
domainconfirmhotelestay.com
domainconfirmhotelistay.com
domainconfirmhotelystay.com
domainconfirmstayon.com
domainconfirmstayonline.com
domainconfirmyhotelstay.com
domaincut-gv.com
domaindip-bo.com
domaindocusign.homes
domaindok-ol.com
domaindonttouchme.life
domaindonttouchthisisuseless.icu
domaindoyoureallyseeme.icu
domaindpeformse.com
domaindperforms.info
domaindubaialbafood.shop
domaindut-cd.com
domaineasyadvicesforyou.shop
domaineasyprintscreen.shop
domainenglandloglstics.com
domainenglanglogistlcs.com
domaineta-cd.com
domaineto-sa.com
domainfir-vp.com
domainfor-es.com
domainfunjobcollins.shop
domaingabesworld.com
domaingalaxioflow.com
domaingir-vc.com
domainguesitastayhotel.com
domainguest-request16433.com
domainguest-request44565494.com
domainguest-request64533.com
domainguest-request666543.com
domainguest-request677653.com
domainguest-update666532345.com
domainguestaformahub.com
domainguestaformhub.com
domainguestaformsafe.com
domainguestaportalverify.com
domainguestaverifyportal.com
domainguestformahub.com
domainguestformasafe.com
domainguestformhub.com
domainguestformsafe.com
domainguestistayhotel.com
domainguestportalverify.com
domaingueststayhotel.com
domainguestverifyhub.com
domainguestverifylink.com
domainguestverifyportal.com
domainguestystayhotel.com
domainguesutastayhotel.com
domainguesytastayhotel.com
domaingut-bk.com
domainher-op.com
domainhometownlogisticsllc.com
domainhoteliguestverify.com
domainhotelistayverify.com
domainhotelroomprice1039375.icu
domainhotelyguestverify.com
domainhotelystayverify.com
domainicantseeyou.icu
domaininfo-guest44567645.com
domaininfo676345677.com
domainipk-sa.com
domainitp-ce.com
domainjshanoi.com
domainjustnewdmain.com
domainkakapupuneww.com
domainkil-it.com
domainkip-er.com
domainleemanlogisticsinc.com
domainloadplannig.com
domainloads.icu
domainloadsplanning.com
domainloadsschedule.com
domainloadstracking.com
domainloadstrucking.com
domainmac-ig.com
domainmap-nv.com
domainmcentireinc.com
domainmcloads.com
domainmechiraz.com
domainmiteamss.com
domainmlxfreightinc.com
domainmrlogsol.ca
domainned-uj.com
domainnedpihotel.com
domainnewmessage10294.com
domainnimbusvaults.com
domainnort-secure.shop
domainnorton-secure.shop
domainnotstablecoin.xyz
domainnotusdt.lol
domainnvidblog.shop
domainnvldlainfoblog.shop
domainoldspicenotsogood.shop
domainotr-gl.com
domainpilolhotel.com
domainpinaccletruckllc.com
domainpit-kp.com
domainprogramsbookss.com
domainrateconfirmations.com
domainrcpeformse.com
domainredlightninglogistics.com
domainredlightninglogisticsinc.com
domainrequest-info3444.com
domainrequest-info4433345.com
domainrequest345553.com
domainrequest44456776.com
domainroject0.com
domainrol-vd.com
domainroomiverifaccess.com
domainroomverifaccess.com
domainroomverifiaccess.com
domainservicehotelonline.com
domainsite-bila.com
domainsite-filo.com
domainsite-here.com
domainsite-reto.com
domainsite-riko.com
domainsite-sero.com
domainsite-silo.com
domainsite-tiko.com
domainsite-tilo.com
domainsite-wila.com
domainspeatly.com
domainspu-cr.com
domainstarkforeveryone.lol
domainstarshiplogisticsgroupllc.com
domainsweetdevices.lol
domaintam-cg.com
domaintdbfvgwe456yt.com
domaintenderloads.com
domaintestdomain123123.shop
domaintouchmeplease.icu
domaintradeviewdesktop.shop
domaintradlngview-desktop.biz
domaintradlngvlewdesktop.shop
domaintradview-desktop.shop
domaintreetankists.com
domaintrucksscheduling.com
domainuke-sd.com
domainuki-fa.com
domainupdate-gues3429.com
domainupdate-guest4398317809.com
domainupdate-info14546.com
domainupdate-info3458421.com
domainupdate-info4467.com
domainupdate-info4468765.com
domainupdate-info539156.com
domainupdate-info71556.com
domainupdate-reques898665.com
domainverifihubguest.com
domainverifyhubguest.com
domainvipcinemade.shop
domainvipcinemadubai.shop
domainvipdubaicinema.shop
domainwal-ik.com
domainwereatwar.com
domainxut-uv.com
domainxyt-ko.com
domainykl-vh.com
domainyt-ko.com
domainzit-fl.com
domainbooking-porta.com
domainenglandlogistics.com
domainapps.englandlogistics.rateconfirmations.com
domaincatalyst.prodaft.com
domainfiles.loadstracking.com

Cidr

ValueDescriptionCopy
cidr192.109.138.0/24

Threat ID: 693819561b76610347bfb3b1

Added to database: 12/9/2025, 12:43:02 PM

Last enriched: 12/9/2025, 12:58:01 PM

Last updated: 12/11/2025, 5:41:07 AM

Views: 114

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2025-12-10

Medium
MalwareThu Dec 11 2025

React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors

Medium
MalwareWed Dec 10 2025

North Korean Hackers Deploy EtherRAT Malware in React2Shell Exploits

Medium
MalwareWed Dec 10 2025

Finding Minhook in a sideloading attack – and Sweden too

Medium
MalwareWed Dec 10 2025

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

Medium
MalwareWed Dec 10 2025

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats