A sophisticated new malware framework named CastleBot has emerged as a significant threat to cybersecurity, operating as a Malware-as-a-Service (MaaS) platform that enables cybercriminals to deploy diverse malicious payloads ranging from infostealers to backdoors linked to ransomware attacks.
First appearing in early 2025, the malware has demonstrated remarkable adaptability and technical sophistication, with activity levels surging significantly starting in May 2025.
CastleBot’s primary distribution method involves trojanized software installers downloaded from fake websites, exploiting SEO poisoning techniques that cause malicious pages to rank higher than legitimate software distributors in search engine results.
This approach lures unsuspecting users into launching infections themselves, representing a growing trend in cybercrime where social engineering replaces traditional technical exploits.
The malware has also been distributed through GitHub repositories impersonating legitimate software and via the increasingly popular ClickFix technique.
The framework’s versatility becomes apparent through its deployment of various high-impact payloads, including NetSupport and WarmCookie backdoors that have been directly linked to ransomware operations.
IBM analysts identified CastleBot as part of a broader ecosystem enabling ransomware attacks, noting that the malware allows operators to easily filter victims, manage ongoing infections, and deploy malware to high-value targets with precision.
What makes CastleBot particularly concerning is its three-stage architecture consisting of a stager/downloader, a loader, and a core backdoor component.
This modular approach provides operators with exceptional flexibility in payload deployment while complicating detection efforts.
The malware communicates with command and control servers to request specific tasks, enabling dynamic campaign management and real-time payload updates based on victim profiling.
Three-Stage Infection Chain
CastleBot’s technical sophistication lies in its multi-layered infection process that begins with a lightweight shellcode stager.
This initial component downloads two payloads via HTTP requests using the User Agent “Go” with varying suffixes between samples.
The stager retrieves files from URLs such as http://173.44.141.89/service/download/data_3x.bin and http://173.44.141.89/service/download/data_4x.bin, which are then decrypted using hardcoded XOR strings like “GySDoSGySDOS”.
The malware employs the DJB2 hashing algorithm for API resolution at runtime, making static analysis more challenging.
Upon successful payload retrieval, the stager uses VirtualProtect to enable execution on the heap, directly executing the CastleBot Loader component in memory while passing the core backdoor as an argument.
The CastleBot Loader represents a fully-featured PE loader that maps sections into memory regions allocated via NtAllocateVirtualMemory.
Notably, it establishes new LDR_DATA_TABLE_ENTRY and LDR_DDAG_NODE structures, adding them to the PEB_LDR_DATA linked lists to make injected payloads appear legitimately loaded by the operating system, effectively evading EDR detection mechanisms that monitor the Process Environment Block.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
