Cyberdudebivash

CastleBot MaaS — Modular Loader Fueling Ransomware Operations By CyberDudeBivash — your daily dose of ruthless, engineering-grade threat intel.

Executive summary

CastleBot is a newly emerged Malware-as-a-Service (MaaS) framework designed to select, stage, and deliver whatever payload its operators want—infostealers, RATs, and backdoors that often serve as ransomware precursors. It operates via a three-stage chain (stager → loader → core backdoor), is frequently delivered through trojanized software installers seeded by SEO-poisoned sites, and also shows up in ClickFix and fake GitHub repository lures. In recent campaigns, CastleBot deployed payloads including NetSupport RAT and WarmCookie, both seen in ransomware-linked activity. IBM

Why it matters now

  • IBM X-Force dates CastleBot activity to early 2025 with a sharp uptick from May 2025 onward, noting flexible tasking that lets affiliates filter victims and push multiple payloads per host. IBM
  • Earlier reporting on the same framework (called CastleLoader) documented 469 confirmed infections across 1,634 attempts, using ClickFix and fake GitHub repos—a clear, growing distribution ecosystem. The Hacker News

Threat overview & lineage

  • Name(s): CastleBot (aka CastleLoader in earlier public reporting).
  • Business model: MaaS for private affiliates (no broad dark-web ads visible yet). IBM
  • Typical objectives: Establish initial foothold and post-exploitation control, then fan-out payloads (stealers, RATs, secondary loaders) that pave the way to data theft and ransomwareIBM

Delivery vectors (initial access)

  1. Trojanized installers via SEO-poisoned sites
    Fake “official” download pages push installers that sideload CastleBot components. IBM
  2. ClickFix (“pastejacking”) lures
    Spoofed verification pages instruct users to run clipboard-injected commands (PowerShell / MSHTA) — seen widely this year and mapped by Unit 42 across NetSupport, Latrodectus and Lumma campaigns. IBM ties similar NetSupport activity back to CastleBot. Unit 42IBM
  3. Fake GitHub repositories
    Repos impersonating popular tools trick developers into installing CastleBot-seeded packages (first documented in CastleLoader reporting; IBM confirms the overlap). The Hacker NewsIBM

Technical anatomy (three stages)

1) Stager (shellcode / small PE)

  • API resolution: DJB2-hash based dynamic API lookups.
  • Retrieval: Pulls two blobs over HTTP with UA “Googlebot”; decrypts via a hardcoded XOR key to reveal the core backdoor (PE) + loader (shellcode). Example paths and key observed in the wild. IBM

2) Loader

  • Memory mapping: Allocates memory, maps PE sections, fixes relocations/imports, honors TLS callbacks, then executes the CastleBot core fully in memory. IBM

3) Core backdoor

  • Tasking model: Beacons to C2 and receives multiple “tasks”—each may download and start a different payload (e.g., Rhadamanthys, Remcos, DeerStealer), enabling multi-payload drops per host. IBM

Payloads linked to ransomware activity

  • NetSupport RAT loaders delivered via ClickFix/SEO lures, mapped by Unit 42 and aligned by IBM to CastleBot campaigns. Unit 42IBM
  • WarmCookie (aka Quickbind/BadSpace) — part of a broader cybercrime ecosystem with ransomware ties; law enforcement targeted it during Operation Endgame (2024), yet CastleBot continues deploying it. IBM
  • Commodity stealers/RATs and loaders: Rhadamanthys, Remcos, DeerStealer, SecTopRAT, HijackLoader, MonsterV2 (Autorun Stealer). IBM

So what? Stealers/RATs laid down by CastleBot prime environments for double-extortion ransomware: credentials and session tokens for lateral movement, plus data staging channels already in place.

Notable tradecraft & quirks

  • DLL sideloading via legitimate binaries (e.g., jp2launcher.exe → msvcp140.dll) in CastleBot chains distributing NetSupport or WarmCookie. Unit 42IBM
  • Task-oriented C2 lets affiliates segment victims and rotate payloads rapidly, complicating attribution and detection. IBM

Indicators (sample set for immediate blocking/hunting)

Use these for short-term containment; expect churn.

  • C2/IPs & domains
    173.44.141[.]8980.77.23[.]4862.60.226[.]73170.130.165[.]112107.158.128[.]45107.158.128[.]105mhousecreative[.]comgoogle.herionhelpline[.]com (fake “google” pathing). IBM
  • Network oddities
    HTTP User-Agent: "Googlebot" from non-browser processes; downloads from /service/download/ and /service/settings/… paths. IBM

Detection & hunting (practical rules of thumb)

Endpoint (Windows)

  • ClickFix chain artifacts
    • powershell.exe / cmd.exe execution sourced from browser or Win+R context; clipboard access preceding PowerShell. Unit 42
  • Sideloading pattern
    • jp2launcher.exe spawning unusual network activity or loading msvcp140.dll from Temp/user pathsUnit 42
  • CastleBot staging
    • Processes making HTTP GETs with UA “Googlebot”; saving blobs then RWX memory changes and child threads.

Sigma/KQL sketches (adapt as needed)

  • UA “Googlebot” from non-browsermakefileCopyEditindex=proxy OR sourcetype=win_http ("User-Agent"="Googlebot") NOT (process_name="chrome.exe" OR "msedge.exe" OR "firefox.exe")
  • Suspicious jp2launcher chainjavaCopyEditDeviceProcessEvents | where InitiatingProcessFileName =~ "jp2launcher.exe" | where FileName =~ "msvcp140.dll" or InitiatingProcessCommandLine has_any ("Temp","AppData")

Network

  • DNS/HTTP to the IOCs above and /service/ paths; block “google.*” look-alikes such as google.herionhelpline[.]comIBM

Linux/Mac

  • Watch for mshta/curl or powershell-core spawned from browsers/terminals following clipboard events; isolate hosts contacting CastleBot C2s.

MITRE ATT&CK mapping (representative)

  • T1204 User Execution (ClickFix; fake installers) Unit 42IBM
  • T1566.002 Phishing: Spearphishing link (lure pages) Unit 42
  • T1574.002 DLL Side-Loading (jp2launcher.exe → msvcp140.dllUnit 42
  • T1059 Command & Scripting (PowerShell/MSHTA) Unit 42
  • T1105/T1071.001 Exfil/C2 over HTTP(S) (tasking & payload fetch) IBM
  • T1027/T1140 Obfuscated/Deobfuscated content (crypters, XOR, staged PE) IBM

Defensive playbook (what to do today)

  1. Block & monitor IOCs (above) and patterns: UA=Googlebot from non-browsers; /service/download traffic; fake “google” hostnames. IBM
  2. Kill ClickFix at the edge: turn on Clipboard-access alerts in browsers, enforce SmartScreen/URL filtering, and block MSHTAcurl-from-browser and PowerShell without Constrained Language Mode. Unit 42
  3. Stop DLL sideload chains: WDAC/AppLocker allow-lists; flag jp2launcher.exe network/process anomalies; monitor Temp/AppData DLL loads. Unit 42
  4. Harden developer workflows: verify GitHub repos via checksums/signatures; restrict unsigned installers; prefer package managers with signature checksThe Hacker News
  5. EDR tuning: detect RWX memory, self-injection, and process hollowing; alert on AutoIt-compiled droppers (“Dave” crypter noted in CastleBot chains). IBM
  6. Ransomware preemption: disable legacy remote tools (e.g., NetSupport when not needed), enforce MFAprivilege tieringASR rules, and backup immutability.

Analyst notebook — selected technical crumbs

  • Core retrieval quirks: Stager pulls payloads with UA “Googlebot”; decrypts with XOR key (example observed) before mapping the PE. IBM
  • Campaign tasking: Single C2 “settings” response can instruct three different payloads (e.g., Rhadamanthys, Remcos, DeerStealer) with distinct install paths/launch methods. IBM
  • WarmCookie linkage: CastleBot dropped WarmCookie in June campaigns; WarmCookie infra previously hit by Operation Endgame (2024) but remains in use by crimeware crews. IBM

Incident response checklist

  1. Isolate host(s); capture full memory and proxy logs.
  2. Triage for: ClickFix PowerShell/MSHTA traces, jp2launcher.exe chains, UA anomalies, /service/download hits. Unit 42IBM
  3. Hunt payloads (NetSupport, WarmCookie, Remcos, Rhadamanthys, DeerStealer, HijackLoader). IBM
  4. Rotate creds/tokens, check for lateral movement, and preempt ransomware staging (disable remote admin tools, kill scheduled tasks, clean startup entries).

Sources & further reading

  • IBM X-Force: Dissecting the CastleBot MaaS operation (architecture, IOCs, campaigns, payloads). Published Aug 6, 2025. IBM
  • The Hacker News summarizing PRODAFT: CastleLoader infections, ClickFix & fake GitHub vectors; 469 infections / 1,634 attempts. Jul 24, 2025 (updated Aug 9). The Hacker News
  • Palo Alto Networks Unit 42: ClickFix technique deep dive & NetSupport loader case study. Jul 10, 2025. Unit 42

Leave a comment

Design a site like this with WordPress.com
Get started