CastleLoader Malware Analysis: Full Execution Breakdown
Essential information
- Published
- 15/01/2026 15:37
- Modified
- 15/01/2026 15:40
- Tags
- 2026-01-15 castleloader credential-theft evasion loader memory-only multi-stage process-hollowing
- Related entities
- 6 observables, 1 malware
Description
CastleLoader is a sophisticated malware loader designed to deliver and install malicious components, primarily targeting government entities and critical infrastructure. It employs a multi-stage execution chain involving Inno Setup, AutoIt, and process hollowing to evade detection. The loader delivers information stealers and RATs, enabling credential theft and persistent access. The analysis reveals its stealthy nature, relying on memory-only payloads and API resolution via hashing. The malware's configuration, including C2 infrastructure, was extracted through reverse engineering, providing high-confidence indicators of compromise for detection and analysis.