CastleLoader Activity Clusters Target Multiple Industries
Essential information
- Published
- 09/12/2025 05:39
- Modified
- 21/12/2025 18:49
- Tags
- 2025-12-09 booking.com castlebot castleloader castlerat clickfix logistics malware-as-a-service matanbuchus netsupport rat phishing sectoprat warmcookie
- Related entities
- 87 observables, 1 intrusion sets (apt), 7 malware, 200 others
Description
Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona "Sparja" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.