GrayBravo, previously tracked as TAG-150, is a technically advanced cybercriminal group operating a malware-as-a-service (MaaS) infrastructure centered on the CastleLoader malware loader. CastleLoader acts as a delivery mechanism for multiple malware families, including CastleRAT (a remote access trojan), CastleBot (a modular malware framework with shellcode stager, loader, and backdoor components), and other payloads such as DeerStealer, RedLine Stealer, NetSupport RAT, and SectopRAT. The malware framework communicates with multi-tiered command-and-control (C2) servers to retrieve and execute payloads, enabling flexible and modular attacks. Recorded Future's Insikt Group identified four distinct operational clusters leveraging CastleLoader, each employing different tactics and targeting vectors: Cluster 1 targets the logistics sector using phishing and ClickFix techniques, exploiting freight-matching platforms like DAT Freight & Analytics and Loadlink Technologies to enhance phishing credibility; Cluster 2 uses Booking.com-themed phishing campaigns to distribute CastleLoader and Matanbuchus 3.0; Cluster 3 impersonates Booking.com infrastructure and uses Steam Community pages as dead drop resolvers to deliver CastleRAT; Cluster 4 employs malvertising and fake software update lures masquerading as legitimate tools like Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. The actor demonstrates rapid development cycles, responsiveness to public reporting, and an expansive infrastructure including victim-facing C2 servers and backup VPS servers. The use of legitimate platforms and industry-specific knowledge enhances the effectiveness and deception of their campaigns. While no known exploits in the wild have been reported yet, the growing user base of CastleLoader and its modular design make it a potent threat capable of distributing a wide range of malware payloads. The campaigns have been active since at least early 2025 and continue to evolve, indicating ongoing operational activity and expansion.

For European organizations, especially those in the logistics, transportation, and supply chain sectors, GrayBravo's campaigns pose significant risks. The use of phishing campaigns tailored to freight-matching platforms and impersonation of legitimate logistics firms increases the likelihood of successful initial compromise. Once infected, organizations may face data theft, espionage, remote access by threat actors, and potential disruption of operations due to malware like RATs and stealers. The modular nature of CastleLoader allows delivery of diverse payloads, potentially leading to credential theft, intellectual property loss, and lateral movement within networks. The use of malvertising and fake software updates also broadens the attack surface to other sectors relying on tools like Zabbix and RVTools. The threat actor's rapid adaptation and expansion of infrastructure mean that defenses must be agile and continuously updated. The economic importance of logistics in Europe means that disruptions or data breaches could have cascading effects on supply chains and critical services. Furthermore, the impersonation of well-known platforms like Booking.com could impact hospitality and travel sectors, which are significant in Europe. Overall, the threat could lead to financial losses, reputational damage, and operational disruptions.

1. Implement advanced phishing detection and user awareness training focused on sector-specific lures, including freight-matching platforms and Booking.com-themed campaigns. 2. Monitor and restrict creation and use of accounts on logistics and freight platforms to detect fraudulent or compromised accounts used in phishing. 3. Deploy endpoint detection and response (EDR) solutions capable of identifying CastleLoader, CastleRAT, CastleBot, and associated malware families by their behavior and indicators of compromise. 4. Use network monitoring to detect suspicious C2 communications, especially multi-tiered infrastructure patterns and connections to known malicious VPS servers. 5. Harden software update mechanisms and educate users to verify authenticity of updates, particularly for tools like Zabbix and RVTools, to prevent malvertising and fake update lures. 6. Employ threat intelligence feeds to stay updated on emerging indicators related to GrayBravo and CastleLoader activity. 7. Conduct regular audits of privileged accounts and implement least privilege principles to limit malware impact. 8. Segment networks to contain potential infections and limit lateral movement. 9. Collaborate with industry partners and share intelligence on observed phishing campaigns and malware activity targeting logistics and related sectors. 10. Prepare incident response plans tailored to malware infections involving RATs and stealers to enable rapid containment and remediation.