216.73.217.22

CastleLoader Activity Clusters Target Multiple Industries

· Published 09/12/2025 05:39 · Modified 21/12/2025 18:49

Export JSON

Essential information

Published
09/12/2025 05:39
Modified
21/12/2025 18:49
Tags
2025-12-09 booking.com castlebot castleloader castlerat clickfix logistics malware-as-a-service matanbuchus netsupport rat phishing sectoprat warmcookie
Related entities
87 observables, 1 intrusion sets (apt), 7 malware, 200 others

Description

Insikt Group has identified four distinct activity clusters associated with GrayBravo's malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a model. One cluster, TAG-160, impersonates firms and uses lures with the technique to distribute . Another cluster, TAG-161, impersonates and employs similar techniques. The analysis also uncovered potential links to the online persona "Sparja" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (87)

  • 37.230.62.235
  • 91.202.233.250
  • 67.217.228.198
  • 185.39.19.180
  • 45.134.26.41
  • 45.11.183.19
  • 45.11.183.165
  • 195.149.146.118
  • 88.214.50.83
  • 194.76.227.242
  • 168.100.8.84
  • 185.125.50.125
  • 77.83.207.55
  • 185.236.20.154
  • 45.135.232.149
  • 31.58.87.132
  • 77.90.153.43
  • 79.132.131.200
  • 192.109.138.102
  • 87.120.93.167
  • 45.11.180.174
  • 85.208.84.242
  • 185.208.158.250
  • 64.52.80.121
  • 185.39.19.164
  • 31.58.50.160
  • 94.141.122.164
  • 185.196.9.80
  • 192.109.138.103
  • 77.83.207.56
  • 144.208.126.50
  • 91.202.233.132
  • 45.61.136.81
  • 178.17.57.102
  • 104.225.129.171
  • 185.196.9.222
  • 195.85.115.44
  • 147.45.177.127
  • 80.77.25.239
  • 94.159.113.32
  • 78.153.155.131
  • 85.208.84.115
  • 94.159.113.123
  • 185.196.10.8
  • 89.185.84.211
  • 45.155.249.121
  • 192.124.178.74
  • 178.17.57.103
  • 80.77.25.88
  • 178.17.57.153
  • 185.156.248.24
  • 45.11.183.45
  • 85.192.49.6
  • 185.39.19.94
  • 192.153.57.125
  • 185.196.11.171
  • 45.11.180.198
  • 45.144.53.62
  • 79.132.130.148
  • 185.149.146.118
  • 185.39.19.181
  • 80.77.25.114
  • 80.64.18.245
  • 85.208.84.65
  • http://boiksal.com/upd.
  • http://boiksal.com/upd
  • https://catalyst.prodaft.com/public/report/understanding-current-castleloade
  • https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview
  • https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/o
  • http://78.153.155.131/service/download/p2.tar
  • cf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c
  • 94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a
  • 202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04
  • 60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0
  • d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec
  • 25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04
  • 53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df
  • 190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836
  • 058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7
  • 1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75
  • 67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b
  • 963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d
  • e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928
  • 1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156
  • fb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c
  • 6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783
  • b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2

Intrusion sets (APT) (1)

  • GrayBravo
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:43 · Modified 21/12/2025 19:43

Malware (7)

  • Matanbuchus
    Family
    Published 09/12/2025 05:39 · Modified 09/12/2025 05:39
  • CastleLoader
    Family
    Published 04/06/2026 22:52 · Modified 04/06/2026 22:52
  • CastleRAT
    Family
    Published 23/04/2026 14:16 · Modified 23/04/2026 14:16
  • CastleBot
    Family
    Published 09/12/2025 05:39 · Modified 09/12/2025 05:39
  • SectopRAT
    Family
    Published 26/05/2026 15:20 · Modified 26/05/2026 15:20
  • NetSupport RAT
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • WarmCookie
    Family
    Published 28/01/2026 18:26 · Modified 28/01/2026 18:26

Others (200)

  • United States of America
  • Logistics
  • Transport
  • Hospitality
  • yt-ko.com
  • dpeformse.com
  • update-info539156.com
  • pit-kp.com
  • update-info4468765.com
  • request-info3444.com
  • itp-ce.com
  • guestaformsafe.com
  • vipcinemade.shop
  • confirmhotelistay.com
  • rol-vd.com
  • site-riko.com
  • guestformasafe.com
  • autryjones.com
  • wal-ik.com
  • boiksal.com
  • confirmstayon.com
  • redlightninglogistics.com
  • site-bila.com
  • confirmhotelystay.com
  • treetankists.com
  • servicehotelonline.com
  • roomverifiaccess.com
  • miteamss.com
  • guest-request64533.com
  • mechiraz.com
  • boikfrs.com
  • update-guest4398317809.com
  • rcpeformse.com
  • mac-ig.com
  • tdbfvgwe456yt.com
  • ipk-sa.com
  • guest-request44565494.com
  • verifyhubguest.com
  • guestverifyhub.com
  • for-es.com
  • rateconfirmations.com
  • bestvpninfo.shop
  • tradlngview-desktop.biz
  • spu-cr.com
  • site-filo.com
  • xut-uv.com
  • bdeskthebest.shop
  • gabesworld.com
  • jshanoi.com
  • verifihubguest.com
  • bioskbd.com
  • roomiverifaccess.com
  • guest-request677653.com
  • redlightninglogisticsinc.com
  • tradeviewdesktop.shop
  • confirmhotelestay.com
  • englandloglstics.com
  • guestportalverify.com
  • update-info3458421.com
  • donttouchme.life
  • guestformsafe.com
  • bookingnewprice204167.icu
  • bethschwier.com
  • tenderloads.com
  • mcentireinc.com
  • request345553.com
  • fir-vp.com
  • guesutastayhotel.com
  • guest-update666532345.com
  • hoteliguestverify.com
  • wereatwar.com
  • dperforms.info
  • hotelystayverify.com
  • alafair.net
  • pilolhotel.com
  • loadsschedule.com
  • kip-er.com
  • vipcinemadubai.shop
  • leemanlogisticsinc.com
  • easyadvicesforyou.shop
  • nedpihotel.com
  • her-op.com
  • checkistayverify.com
  • trucksscheduling.com
  • mrlogsol.ca
  • tradview-desktop.shop
  • nimbusvaults.com
  • albafood.shop
  • guestaverifyportal.com
  • apps.englandlogistics.rateconfirmations.com
  • bestproxysale.shop
  • site-reto.com
  • checkystayverify.com
  • pinaccletruckllc.com
  • chessinthenight.lol
  • guestistayhotel.com
  • cking.com
  • starkforeveryone.lol
  • dip-bo.com
  • uki-fa.com
  • checkinistayverify.com
  • justnewdmain.com
  • guest-request16433.com
  • otr-gl.com
  • guestverifylink.com
  • funjobcollins.shop
  • site-here.com
  • gir-vc.com
  • guest-request666543.com
  • uke-sd.com
  • hotelistayverify.com
  • englandlogistics.com
  • update-reques898665.com
  • files.loadstracking.com
  • cik-ed.com
  • ykl-vh.com
  • guestverifyportal.com
  • sweetdevices.lol
  • eta-cd.com
  • nvldlainfoblog.shop
  • notusdt.lol
  • hometownlogisticsllc.com
  • oldspicenotsogood.shop
  • request-info4433345.com
  • starshiplogisticsgroupllc.com
  • donttouchthisisuseless.icu
  • mcloads.com
  • update-info4467.com
  • dok-ol.com
  • site-tiko.com
  • newmessage10294.com
  • guestformahub.com
  • vipdubaicinema.shop
  • testdomain123123.shop
  • guestystayhotel.com
  • speatly.com
  • guestaportalverify.com
  • gut-bk.com
  • checkinstayverify.com
  • checkinastayverify.com
  • loadstracking.com
  • nort-secure.shop
  • campanyasoft.com
  • dut-cd.com
  • guestaformahub.com
  • kil-it.com
  • info-guest44567645.com
  • guestaformhub.com
  • docusign.homes
  • norton-secure.shop
  • bookingnewprice109034.icu
  • xyt-ko.com
  • confirmahotelastay.com
  • notstablecoin.xyz
  • gueststayhotel.com
  • catalyst.prodaft.com
  • roomverifaccess.com
  • doyoureallyseeme.icu
  • zit-fl.com
  • nvidblog.shop
  • kakapupuneww.com
  • touchmeplease.icu
  • ned-uj.com
  • englanglogistlcs.com
  • cut-gv.com
  • confirmstayonline.com
  • guesytastayhotel.com
  • castlppwnd.com
  • loadstrucking.com
  • site-wila.com
  • update-info71556.com
  • anotherproject.icu
  • site-sero.com
  • albalk.lol
  • update-info14546.com
  • hotelroomprice1039375.icu
  • request44456776.com
  • loadsplanning.com
  • guestformhub.com
  • dubaialbafood.shop
  • tradlngvlewdesktop.shop
  • mlxfreightinc.com
  • cdlfreightlogistics.com
  • update-gues3429.com
  • hotelyguestverify.com
  • info676345677.com
  • site-tilo.com
  • eto-sa.com
  • booking-porta.com
  • confirmyhotelstay.com
  • guesitastayhotel.com
  • map-nv.com
  • clgenetics.shop
  • icantseeyou.icu
  • loads.icu
  • tam-cg.com
  • checksstayverify.com
  • programsbookss.com
  • easyprintscreen.shop
  • 192.109.138.0/24

External references