Recorded Future’s Insikt Group has identified four distinct activity clusters leveraging a malware loader known as CastleLoader and has assigned the operator the name GrayBravo; the group said it previously tracked the actor as TAG-150.
The actor’s toolset includes a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which is composed of a shellcode stager/downloader, a loader, and a core backdoor. The CastleBot loader injects a core module that contacts command-and-control servers to retrieve tasks and download and execute DLL, EXE and PE payloads. Observed payloads distributed via the framework include DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE and other loaders such as Hijack Loader.
Recorded Future’s analysis identified four operational clusters that use distinct tactics: one cluster (TAG-160) targeting the logistics sector with phishing and ClickFix techniques; a second (TAG-161) running Booking.com-themed ClickFix campaigns and distributing additional malware; a third impersonating Booking.com infrastructure and using Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader; and a fourth using malvertising and fake software update lures posing as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. The clusters have been active since at least March–June 2025, depending on the cluster.
GrayBravo operates a multi-tiered infrastructure that includes victim-facing command-and-control servers associated with CastleLoader, CastleRAT, SectopRAT and WARMCOOKIE, as well as multiple VPS servers that appear to serve as backups. One cluster was observed using fraudulent or compromised accounts on freight-matching platforms such as DAT Freight & Analytics and Loadlink Technologies to increase the credibility of phishing campaigns against logistics firms.
Recorded Future assessed that CastleLoader is being adopted by multiple threat actors, increasing the number of operational clusters that leverage the loader and indicating a malware-as-a-service style proliferation. The firm also noted the actor’s rapid development cycle, technical sophistication and evolving infrastructure in its reporting and characterised the trend as an expansion of the loader’s user base.
The reporting did not provide attribution of GrayBravo to a nation state or a named criminal group and said linkage to a prior unattributed campaign against North American transportation and logistics companies was assessed with low confidence.