IBM X-Force has uncovered CastleBot, a nascent malware framework operating as a Malware-as-a-Service (MaaS) platform, enabling cybercriminals to deploy a spectrum of payloads ranging from infostealers to sophisticated backdoors implicated in ransomware operations.
First detected in early 2025 with heightened activity since May, CastleBot facilitates the delivery of threats like NetSupport and WarmCookie, which have historical ties to ransomware attacks.
This framework’s flexibility allows operators to filter victims, manage infections, and precisely target high-value assets by gathering host enumeration data such as usernames, NetBIOS names, system architecture, and unique victim IDs calculated via a linear congruential generator from volume serial numbers.
The malware’s core component communicates with command-and-control (C2) servers using ChaCha-encrypted serialized containers over HTTP, requesting tasks that can include multiple payloads in a single campaign, thereby complicating traditional detection methods.
Malware-as-a-Service Landscape
CastleBot’s infection chain begins with trojanized software installers distributed through fake websites bolstered by SEO poisoning, where malicious pages outrank legitimate ones in search results.
It has also been observed leveraging GitHub repositories impersonating valid software and the ClickFix technique to lure users.
The three-stage architecture comprises a lightweight shellcode stager that downloads and decrypts payloads using XOR keys like “GySDoSGySDoS,” followed by a loader that maps PE sections, resolves imports, and manipulates PEB_LDR_DATA structures to mimic legitimate module loading, evading endpoint detection and response (EDR) tools.
According to the report, The core backdoor, employing AP hashing for API resolution, decrypts its configuration including campaign IDs and ChaCha keys and registers with the C2 by sending encrypted host data.
Tasks are executed based on launch methods, such as process injection via NtManageHotPatch hooking to bypass Windows 11 24H2 checks, or persistence through scheduled tasks using the ITaskService COM interface.
Recent updates in July 2025 introduced enhancements like WOW64 bypass for 32-bit binaries and expanded launch methods, including MSI execution via msiexec.exe and advanced injection using QueueUserAPC for reduced API calls.
Campaigns analyzed by X-Force reveal diverse payloads: one chain starting with a weaponized SSMS installer decrypts CastleBot via Dave Loader, deploying WarmCookie from a C2 at 170.130.165.112; another delivers Rhadamanthys, Remcos, and DeerStealer in sequence.
NetSupport deployments exploit ClickFix on fake DocuSign sites, while others involve SecTopRAT, HijackLoader, and MonsterV2, often via ZIP archives and DLL sideloading.
This MaaS model’s affiliate-driven nature, with private distribution, underscores its potential for escalating to ransomware, as seen in ties to Operation Endgame targets.
Ongoing Evolution
As CastleBot evolves, incorporating anti-VM checks, fake error messages, and adaptive injection techniques, defenders must prioritize updated EDR, user training against unverified downloads, multi-factor authentication, and blocking non-HTTPS outbound traffic.
X-Force anticipates further refinements to counter security measures, signaling a shift toward dynamic, SEO-poisoned initial access vectors in cybercrime.
Indicator of Compromise (IoCs)
| Indicator Type | Indicator | Context |
|---|---|---|
| URL | http://173.44.141.89/service/ | CastleBot C2 server |
| URL | http://mhousecreative.com/service/ | CastleBot C2 server |
| SHA256 | 202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04 | CastleBot core |
| SHA256 | 5bca7f1942e07e8c12ecd9c802ecdb96570dfaaa1f44a6753ebb9ffda0604cb4 | WarmCookie payload |
| IPv4 | 170.130.165.112 | WarmCookie C2 server |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
