CastleLoader is a sophisticated and modular malware loader that has been active since at least May 2025, infecting 469 devices with a notable infection rate of 28.7%. It primarily spreads through phishing campaigns themed around Cloudflare ClickFix and fake GitHub repositories, leveraging social engineering to trick users into executing malicious payloads. Technically, CastleLoader employs advanced techniques such as PowerShell and AutoIT scripting to load shellcode directly into memory, thereby evading traditional disk-based detection mechanisms. Once executed, it establishes connections to command and control (C2) servers to receive further instructions and payloads. Its modular architecture allows it to deploy a variety of payloads, including information stealers like StealC, DeerStealer, and RedLine, as well as remote access trojans (RATs) such as NetSupport RAT, HijackLoader, and SectopRAT. The malware’s use of legitimate file-sharing services and compromised websites for payload delivery enhances its resilience against takedown efforts and complicates detection. The campaigns have specifically targeted U.S. government entities, indicating a focus on high-value targets. The malware also incorporates multiple MITRE ATT&CK techniques such as T1053 (Scheduled Task), T1140 (Deobfuscate/Decode Files or Information), T1036 (Masquerading), T1055 (Process Injection), T1497 (Virtualization/Sandbox Evasion), T1102 (Web Service), T1204 (User Execution), and others, demonstrating a multi-faceted approach to persistence, evasion, and command and control.

For European organizations, CastleLoader poses a significant threat due to its capability to deliver information stealers and RATs that can exfiltrate sensitive data, compromise credentials, and enable persistent remote access. The modular nature of the loader means attackers can tailor payloads to specific targets, increasing the risk of espionage, intellectual property theft, and disruption of critical infrastructure. The use of phishing and fake repositories as infection vectors exploits common user behaviors, making it a widespread risk across sectors. Additionally, the malware’s ability to evade detection by loading payloads in memory and leveraging legitimate services for payload retrieval complicates incident response and forensic analysis. European government agencies, critical infrastructure providers, and private sector companies involved in technology, finance, and research are particularly at risk, as attackers may seek to replicate the targeting seen in U.S. government campaigns. The infection could lead to data breaches, operational disruptions, and reputational damage, with potential regulatory consequences under GDPR if personal data is compromised.

European organizations should implement targeted defenses against CastleLoader by focusing on the following measures: 1) Enhance phishing detection and user awareness training specifically addressing Cloudflare-themed and fake GitHub repository lures to reduce the likelihood of initial infection. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting in-memory execution techniques such as PowerShell and AutoIT script abuse, and monitor for suspicious process injection behaviors. 3) Implement strict application whitelisting and script execution policies to limit unauthorized PowerShell and AutoIT script execution. 4) Monitor network traffic for unusual connections to known C2 infrastructure and legitimate file-sharing services used for payload delivery, employing threat intelligence feeds to update detection rules. 5) Conduct regular threat hunting exercises focusing on indicators of compromise related to CastleLoader and its associated payloads. 6) Harden user privilege management to prevent unauthorized persistence mechanisms and lateral movement. 7) Maintain up-to-date backups and incident response plans tailored to malware infections involving RATs and information stealers. 8) Collaborate with national cybersecurity centers and share threat intelligence to stay informed about emerging CastleLoader campaigns and indicators.