Full Report
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future's Insikt Group, which was previously tracking it as TAG-150.
Analysis Summary
# Threat Actor: GrayBravo (formerly TAG-150)
## Attribution & Identity
* **Primary Name:** GrayBravo (assigned by Recorded Future's Insikt Group).
* **Previous Alias:** TAG-150.
* **Nature of Operation:** Operates a Malware-as-a-Service (MaaS) offering centered around the CastleLoader tool.
* **Characteristics:** Rapid development cycles, technical sophistication, and responsiveness to public reporting.
## Activity Summary
GrayBravo (via CastleLoader MaaS) is enabling at least four distinct threat activity clusters (TAG-160, TAG-161, Cluster 3, Cluster 4) to conduct malicious operations. GrayBravo itself is characterized by continuous improvement and expansion of its user base and infrastructure.
**Observed Activity Clusters Leveraging CastleLoader:**
* **Cluster 1 (TAG-160):** Active since at least March 2025. Targets the logistics sector using phishing and ClickFix techniques to distribute CastleLoader. Uses fraudulent/compromised accounts on freight-matching platforms (e.g., DAT Freight & Analytics, Loadlink Technologies).
* **Cluster 2 (TAG-161):** Active since at least June 2025. Uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0.
* **Cluster 3:** Active since at least March 2025. Uses infrastructure impersonating Booking.com alongside ClickFix and Steam Community pages (as dead drop resolvers) to deliver CastleRAT via CastleLoader.
* **Cluster 4:** Active since at least April 2025. Uses malvertising and fake software update lures (masquerading as Zabbix and RVTools) to distribute CastleLoader and NetSupport RAT.
## Tactics, Techniques & Procedures
* **Core Capability:** Distribution/offering of the **CastleLoader** malware.
* **Custom Toolset:** Utilizes **CastleRAT** (Remote Access Trojan) and **CastleBot** (a malware framework consisting of a shellcode stager/downloader, a loader, and a core backdoor).
* **Delivery Mechanisms:** Phishing, ClickFix campaigns, malvertising, and fake software updates.
* **Infrastructure Use:** Employs multi-tiered infrastructure, including victim-facing C2 servers and multiple likely backup VPS servers.
* **Deception:** Mimics authentic communications from legitimate logistics firms; Cluster 3 uses Steam Community pages as a dead drop resolver.
* **Payload Distribution:** The CastleBot core module retrieves and executes DLL, EXE, and PE payloads from its C2.
* *Specific TTPs are implicitly linked to the dependent malware families distributed by the MaaS.*
## Targeting
* **Sectors:** Logistics sector (explicitly mentioned for Cluster 1), various industries (implied by the breadth of distributed malware).
* **Geography:** Not specified in detail, but Cluster 1 leveraged platforms relevant to North American logistics (DAT Freight & Analytics, Loadlink Technologies).
* **Victims:** Organizations within the transportation and logistics sectors are explicitly targeted by Cluster 1.
## Tools & Infrastructure
* **Primary Loader/MaaS Tool:** CastleLoader.
* **GrayBravo Native Tools:** CastleRAT, CastleBot (Stager/Downloader, Loader, Core Backdoor components).
* **Distributed Malware Families (Examples):** DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, Hijack Loader.
* **Infrastructure Elements:** Tier 1 victim-facing C2 servers; multiple VPS servers (as backups); impersonation of Booking.com infrastructure; use of freight-matching platforms for account compromise/impersonation.
* **URLs/IPs:** None found in the provided text, therefore no defanging is necessary.
## Implications
GrayBravo represents a significant threat due to its role as a sophisticated, rapidly evolving MaaS provider. The expansion of its 'user base' means diverse threat actors (identified as TAG-160, TAG-161, and others) gain access to advanced, custom-developed tooling (CastleLoader/CastleRAT/CastleBot) tailored for initial access. This increases the complexity of attribution and allows lower-skilled actors to execute high-impact campaigns against targeted sectors like logistics.
## Mitigations
* **Defensive Focus on Initial Access:** Enhance security measures against phishing, ClickFix lures, and malvertising.
* **Monitor for Impersonation:** Implement strict scrutiny of communications mimicking logistics platforms (DAT Freight & Analytics, Loadlink Technologies) and booking services (Booking.com).
* **Endpoint Detection:** Maintain robust Endpoint Detection and Response (EDR) capable of detecting the execution chains associated with loaders like CastleLoader and the behaviors of the diverse secondary payloads (Stealers, RATs).
* **Infrastructure Monitoring:** Organizations utilizing freight-matching platforms should ensure account integrity and monitor for unauthorized activity associated with credential compromise.