Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery
Essential information
- Published
- 15/12/2025 09:05
- Modified
- 21/12/2025 19:03
- Tags
- 2025-12-15 castleloader clickfix python
- Related entities
- 6 observables, 3 techniques (mitre), 2 malware, 1 others
Description
The Blackpoint SOC recently responded to an incident initiated through the tried-and-true ClickFix technique; a social engineering method consistently leveraged across numerous campaigns this past year. These lures convince users to press Win + R to open the Windows Run dialog box, then enter a command presented as a harmless “human verification” step or similar prompt. This pattern has been repeatedly used to deploy everything from information stealers to remote access trojans (RATs), and it has also become one of the primary delivery vectors for a newer loader family known as CastleLoader.