APT / THREAT GROUP
CASTLELOADER
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware.
Threat Analysis
CASTLELOADER is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
Intelligence Reports Mentioning CASTLELOADER
ClickFix Removes Your Background but Leaves the Malware
Huntress Blog· Apr 30, 2026
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
Recorded Future Blog· Dec 8, 2025
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
CASTLELOADERwin.castleloader
External Intelligence
Malpedia: win.castleloaderResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.