{ "name": "CastleLoader Activity Clusters Target Multiple Industries", "slug": "castleloader-activity-clusters-target-multiple-industries", "description": "Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona \"Sparja\" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.", "published": "2025-12-09T04:39:34+00:00", "created_at": "2025-12-09T04:39:34+00:00", "modified_at": "2025-12-21T17:49:15+00:00", "created_at_opencti": "2025-12-09T04:39:34+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-12-09", "booking.com", "castlebot", "castleloader", "castlerat", "clickfix", "logistics", "malware-as-a-service", "matanbuchus", "netsupport rat", "phishing", "sectoprat", "warmcookie" ], "related_entities": { "observables": [ { "id": "", "name": "37.230.62.235" }, { "id": "", "name": "91.202.233.250" }, { "id": "", "name": "67.217.228.198" }, { "id": "", "name": "185.39.19.180" }, { "id": "", "name": "45.134.26.41" }, { "id": "", "name": "45.11.183.19" }, { "id": "", "name": "45.11.183.165" }, { "id": "", "name": "195.149.146.118" }, { "id": "", "name": "88.214.50.83" }, { "id": "", "name": "194.76.227.242" }, { "id": "", "name": "168.100.8.84" }, { "id": "", "name": "185.125.50.125" }, { "id": "", "name": "77.83.207.55" }, { "id": "", "name": "185.236.20.154" }, { "id": "", "name": "45.135.232.149" }, { "id": "", "name": "31.58.87.132" }, { "id": "", "name": "77.90.153.43" }, { "id": "", "name": "79.132.131.200" }, { "id": "", "name": "192.109.138.102" }, { "id": "", "name": "87.120.93.167" }, { "id": "", "name": "45.11.180.174" }, { "id": "", "name": "85.208.84.242" }, { "id": "", "name": "185.208.158.250" }, { "id": "", "name": "64.52.80.121" }, { "id": "", "name": "185.39.19.164" }, { "id": "", "name": "31.58.50.160" }, { "id": "", "name": "94.141.122.164" }, { "id": "", "name": "185.196.9.80" }, { "id": "", "name": "192.109.138.103" }, { "id": "", "name": "77.83.207.56" }, { "id": "", "name": "144.208.126.50" }, { "id": "", "name": "91.202.233.132" }, { "id": "", "name": "45.61.136.81" }, { "id": "", "name": "178.17.57.102" }, { "id": "", "name": "104.225.129.171" }, { "id": "", "name": "185.196.9.222" }, { "id": "", "name": "195.85.115.44" }, { "id": "", "name": "147.45.177.127" }, { "id": "", "name": "80.77.25.239" }, { "id": "", "name": "94.159.113.32" }, { "id": "", "name": "78.153.155.131" }, { "id": "", "name": "85.208.84.115" }, { "id": "", "name": "94.159.113.123" }, { "id": "", "name": "185.196.10.8" }, { "id": "", "name": "89.185.84.211" }, { "id": "", "name": "45.155.249.121" }, { "id": "", "name": "192.124.178.74" }, { "id": "", "name": "178.17.57.103" }, { "id": "", "name": "80.77.25.88" }, { "id": "", "name": "178.17.57.153" }, { "id": "", "name": "185.156.248.24" }, { "id": "", "name": "45.11.183.45" }, { "id": "", "name": "85.192.49.6" }, { "id": "", "name": "185.39.19.94" }, { "id": "", "name": "192.153.57.125" }, { "id": "", "name": "185.196.11.171" }, { "id": "", "name": "45.11.180.198" }, { "id": "", "name": "45.144.53.62" }, { "id": "", "name": "79.132.130.148" }, { "id": "", "name": "185.149.146.118" }, { "id": "", "name": "185.39.19.181" }, { "id": "", "name": "80.77.25.114" }, { "id": "", "name": "80.64.18.245" }, { "id": "", "name": "85.208.84.65" }, { "id": "", "name": "http://boiksal.com/upd." }, { "id": "", "name": "http://boiksal.com/upd" }, { "id": "", "name": "https://catalyst.prodaft.com/public/report/understanding-current-castleloade" }, { "id": "", "name": "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview" }, { "id": "", "name": "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/o" }, { "id": "", "name": "http://78.153.155.131/service/download/p2.tar" }, { "id": "", "name": "cf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c" }, { "id": "", "name": "94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a" }, { "id": "", "name": "202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04" }, { "id": "", "name": "60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0" }, { "id": "", "name": "d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec" }, { "id": "", "name": "25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04" }, { "id": "", "name": "53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df" }, { "id": "", "name": "190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836" }, { "id": "", "name": "058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7" }, { "id": "", "name": "1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75" }, { "id": "", "name": "67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b" }, { "id": "", "name": "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d" }, { "id": "", "name": "e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928" }, { "id": "", "name": "1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156" }, { "id": "", "name": "fb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c" }, { "id": "", "name": "6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783" }, { "id": "", "name": "b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2" } ], "malware": [ { "id": "legacy:malware:f4e2b60f465e2e7c", "name": "Matanbuchus", "slug": "matanbuchus" }, { "id": "legacy:malware:483824c70b12c7ed", "name": "CastleLoader", "slug": "castleloader" }, { "id": "legacy:malware:e8452a26dc96331e", "name": "CastleRAT", "slug": "castlerat" }, { "id": "legacy:malware:64bd32ad056a3405", "name": "CastleBot", "slug": "castlebot" }, { "id": "legacy:malware:6058ee6dd9d36156", "name": "SecTopRAT", "slug": "sectoprat" }, { "id": "legacy:malware:72c31ed0db92bc73", "name": "NetSupport RAT", "slug": "netsupport-rat" }, { "id": "legacy:malware:8b0db59783308dcc", "name": "WarmCookie", "slug": "warmcookie" } ], "intrusion_sets": [ { "id": "eebde63f-35b8-4b1c-845e-0ecae332970e", "name": "GrayBravo", "slug": "graybravo" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Logistics" }, { "id": "", "name": "Transport" }, { "id": "", "name": "Hospitality" }, { "id": "", "name": "yt-ko.com" }, { "id": "", "name": "dpeformse.com" }, { "id": "", "name": "update-info539156.com" }, { "id": "", "name": "pit-kp.com" }, { "id": "", "name": "update-info4468765.com" }, { "id": "", "name": "request-info3444.com" }, { "id": "", "name": "itp-ce.com" }, { "id": "", "name": "guestaformsafe.com" }, { "id": "", "name": "vipcinemade.shop" }, { "id": "", "name": "confirmhotelistay.com" }, { "id": "", "name": "rol-vd.com" }, { "id": "", "name": "site-riko.com" }, { "id": "", "name": "guestformasafe.com" }, { "id": "", "name": "autryjones.com" }, { "id": "", "name": "wal-ik.com" }, { "id": "", "name": "boiksal.com" }, { "id": "", "name": "confirmstayon.com" }, { "id": "", "name": "redlightninglogistics.com" }, { "id": "", "name": "site-bila.com" }, { "id": "", "name": "confirmhotelystay.com" }, { "id": "", "name": "treetankists.com" }, { "id": "", "name": "servicehotelonline.com" }, { "id": "", "name": "roomverifiaccess.com" }, { "id": "", "name": "miteamss.com" }, { "id": "", "name": "guest-request64533.com" }, { "id": "", "name": "mechiraz.com" }, { "id": "", "name": "boikfrs.com" }, { "id": "", "name": "update-guest4398317809.com" }, { "id": "", "name": "rcpeformse.com" }, { "id": "", "name": "mac-ig.com" }, { "id": "", "name": "tdbfvgwe456yt.com" }, { "id": "", "name": "ipk-sa.com" }, { "id": "", "name": "guest-request44565494.com" }, { "id": "", "name": "verifyhubguest.com" }, { "id": "", "name": "guestverifyhub.com" }, { "id": "", "name": "for-es.com" }, { "id": "", "name": "rateconfirmations.com" }, { "id": "", "name": "bestvpninfo.shop" }, { "id": "", "name": "tradlngview-desktop.biz" }, { "id": "", "name": "spu-cr.com" }, { "id": "", "name": "site-filo.com" }, { "id": "", "name": "xut-uv.com" }, { "id": "", "name": "bdeskthebest.shop" }, { "id": "", "name": "gabesworld.com" }, { "id": "", "name": "jshanoi.com" }, { "id": "", "name": "verifihubguest.com" }, { "id": "", "name": "bioskbd.com" }, { "id": "", "name": "roomiverifaccess.com" }, { "id": "", "name": "guest-request677653.com" }, { "id": "", "name": "redlightninglogisticsinc.com" }, { "id": "", "name": "tradeviewdesktop.shop" }, { "id": "", "name": "confirmhotelestay.com" }, { "id": "", "name": "englandloglstics.com" }, { "id": "", "name": "guestportalverify.com" }, { "id": "", "name": "update-info3458421.com" }, { "id": "", "name": "donttouchme.life" }, { "id": "", "name": "guestformsafe.com" }, { "id": "", "name": "bookingnewprice204167.icu" }, { "id": "", "name": "bethschwier.com" }, { "id": "", "name": "tenderloads.com" }, { "id": "", "name": "mcentireinc.com" }, { "id": "", "name": "request345553.com" }, { "id": "", "name": "fir-vp.com" }, { "id": "", "name": "guesutastayhotel.com" }, { "id": "", "name": "guest-update666532345.com" }, { "id": "", "name": "hoteliguestverify.com" }, { "id": "", "name": "wereatwar.com" }, { "id": "", "name": "dperforms.info" }, { "id": "", "name": "hotelystayverify.com" }, { "id": "", "name": "alafair.net" }, { "id": "", "name": "pilolhotel.com" }, { "id": "", "name": "loadsschedule.com" }, { "id": "", "name": "kip-er.com" }, { "id": "", "name": "vipcinemadubai.shop" }, { "id": "", "name": "leemanlogisticsinc.com" }, { "id": "", "name": "easyadvicesforyou.shop" }, { "id": "", "name": "nedpihotel.com" }, { "id": "", "name": "her-op.com" }, { "id": "", "name": "checkistayverify.com" }, { "id": "", "name": "trucksscheduling.com" }, { "id": "", "name": "mrlogsol.ca" }, { "id": "", "name": "tradview-desktop.shop" }, { "id": "", "name": "nimbusvaults.com" }, { "id": "", "name": "albafood.shop" }, { "id": "", "name": "guestaverifyportal.com" }, { "id": "", "name": "apps.englandlogistics.rateconfirmations.com" }, { "id": "", "name": "bestproxysale.shop" }, { "id": "", "name": "site-reto.com" }, { "id": "", "name": "checkystayverify.com" }, { "id": "", "name": "pinaccletruckllc.com" }, { "id": "", "name": "chessinthenight.lol" }, { "id": "", "name": "guestistayhotel.com" }, { "id": "", "name": "cking.com" }, { "id": "", "name": "starkforeveryone.lol" }, { "id": "", "name": "dip-bo.com" }, { "id": "", "name": "uki-fa.com" }, { "id": "", "name": "checkinistayverify.com" }, { "id": "", "name": "justnewdmain.com" }, { "id": "", "name": "guest-request16433.com" }, { "id": "", "name": "otr-gl.com" }, { "id": "", "name": "guestverifylink.com" }, { "id": "", "name": "funjobcollins.shop" }, { "id": "", "name": "site-here.com" }, { "id": "", "name": "gir-vc.com" }, { "id": "", "name": "guest-request666543.com" }, { "id": "", "name": "uke-sd.com" }, { "id": "", "name": "hotelistayverify.com" }, { "id": "", "name": "englandlogistics.com" }, { "id": "", "name": "update-reques898665.com" }, { "id": "", "name": "files.loadstracking.com" }, { "id": "", "name": "cik-ed.com" }, { "id": "", "name": "ykl-vh.com" }, { "id": "", "name": "guestverifyportal.com" }, { "id": "", "name": "sweetdevices.lol" }, { "id": "", "name": "eta-cd.com" }, { "id": "", "name": "nvldlainfoblog.shop" }, { "id": "", "name": "notusdt.lol" }, { "id": "", "name": "hometownlogisticsllc.com" }, { "id": "", "name": "oldspicenotsogood.shop" }, { "id": "", "name": "request-info4433345.com" }, { "id": "", "name": "starshiplogisticsgroupllc.com" }, { "id": "", "name": "donttouchthisisuseless.icu" }, { "id": "", "name": "mcloads.com" }, { "id": "", "name": "update-info4467.com" }, { "id": "", "name": "dok-ol.com" }, { "id": "", "name": "site-tiko.com" }, { "id": "", "name": "newmessage10294.com" }, { "id": "", "name": "guestformahub.com" }, { "id": "", "name": "vipdubaicinema.shop" }, { "id": "", "name": "testdomain123123.shop" }, { "id": "", "name": "guestystayhotel.com" }, { "id": "", "name": "speatly.com" }, { "id": "", "name": "guestaportalverify.com" }, { "id": "", "name": "gut-bk.com" }, { "id": "", "name": "checkinstayverify.com" }, { "id": "", "name": "checkinastayverify.com" }, { "id": "", "name": "loadstracking.com" }, { "id": "", "name": "nort-secure.shop" }, { "id": "", "name": "campanyasoft.com" }, { "id": "", "name": "dut-cd.com" }, { "id": "", "name": "guestaformahub.com" }, { "id": "", "name": "kil-it.com" }, { "id": "", "name": "info-guest44567645.com" }, { "id": "", "name": "guestaformhub.com" }, { "id": "", "name": "docusign.homes" }, { "id": "", "name": "norton-secure.shop" }, { "id": "", "name": "bookingnewprice109034.icu" }, { "id": "", "name": "xyt-ko.com" }, { "id": "", "name": "confirmahotelastay.com" }, { "id": "", "name": "notstablecoin.xyz" }, { "id": "", "name": "gueststayhotel.com" }, { "id": "", "name": "catalyst.prodaft.com" }, { "id": "", "name": "roomverifaccess.com" }, { "id": "", "name": "doyoureallyseeme.icu" }, { "id": "", "name": "zit-fl.com" }, { "id": "", "name": "nvidblog.shop" }, { "id": "", "name": "kakapupuneww.com" }, { "id": "", "name": "touchmeplease.icu" }, { "id": "", "name": "ned-uj.com" }, { "id": "", "name": "englanglogistlcs.com" }, { "id": "", "name": "cut-gv.com" }, { "id": "", "name": "confirmstayonline.com" }, { "id": "", "name": "guesytastayhotel.com" }, { "id": "", "name": "castlppwnd.com" }, { "id": "", "name": "loadstrucking.com" }, { "id": "", "name": "site-wila.com" }, { "id": "", "name": "update-info71556.com" }, { "id": "", "name": "anotherproject.icu" }, { "id": "", "name": "site-sero.com" }, { "id": "", "name": "albalk.lol" }, { "id": "", "name": "update-info14546.com" }, { "id": "", "name": "hotelroomprice1039375.icu" }, { "id": "", "name": "request44456776.com" }, { "id": "", "name": "loadsplanning.com" }, { "id": "", "name": "guestformhub.com" }, { "id": "", "name": "dubaialbafood.shop" }, { "id": "", "name": "tradlngvlewdesktop.shop" }, { "id": "", "name": "mlxfreightinc.com" }, { "id": "", "name": "cdlfreightlogistics.com" }, { "id": "", "name": "update-gues3429.com" }, { "id": "", "name": "hotelyguestverify.com" }, { "id": "", "name": "info676345677.com" }, { "id": "", "name": "site-tilo.com" }, { "id": "", "name": "eto-sa.com" }, { "id": "", "name": "booking-porta.com" }, { "id": "", "name": "confirmyhotelstay.com" }, { "id": "", "name": "guesitastayhotel.com" }, { "id": "", "name": "map-nv.com" }, { "id": "", "name": "clgenetics.shop" }, { "id": "", "name": "icantseeyou.icu" }, { "id": "", "name": "loads.icu" }, { "id": "", "name": "tam-cg.com" }, { "id": "", "name": "checksstayverify.com" }, { "id": "", "name": "programsbookss.com" }, { "id": "", "name": "easyprintscreen.shop" }, { "id": "", "name": "192.109.138.0/24" } ] }, "external_refs": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries", "https://otx.alienvault.com/pulse/6937b6169bd435b2e3a0787e" ] }