HOMETHREATSCASTLELOADER
APT / THREAT GROUP

CASTLELOADER

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware.

Threat Analysis

CASTLELOADER is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning CASTLELOADER

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

CASTLELOADERwin.castleloader

External Intelligence

Malpedia: win.castleloader

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.