CastleLoader Malware Spreads Through Bogus GitHub Repos, Hits Hundreds

Security researchers have uncovered a new, flexible malware loader called CastleLoader. This nasty piece of software is being used in campaigns to distribute various info stealers and remote access trojans (RATs).

The attacks often start with Cloudflare-themed ClickFix phishing schemes. Crooks are also creating fake GitHub repositories that look like legitimate applications, according to a report by Swiss cybersecurity firm PRODAFT.

CastleLoader, first spotted earlier this year, is spreading malware like DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and even other loaders like Hijack Loader. Quite the payload!

"It uses dead code injection and packing tricks to make analysis difficult," PRODAFT explained. "After it unpacks itself, it connects to a command-and-control (C2) server, grabs the modules it needs, and executes them."

CastleLoader's design lets it act as both a delivery truck and a staging area. This allows the attackers to separate the initial infection from the actual malware deployment. This makes it harder to figure out who's behind the attacks and respond effectively. It also gives the bad guys more flexibility to change their tactics over time.

The malware is delivered as portable executables containing a shellcode. This shellcode then kicks off the main module of the loader, which connects to the C2 server to download and run the next stage of the malware.

The attacks often rely on the popular ClickFix technique, using fake domains that pretend to be software development libraries, video conferencing platforms, browser updates, or document verification systems. These sites trick users into copying and running PowerShell commands that start the infection chain.

Victims often land on these fake domains through Google searches. The sites display fake error messages and CAPTCHA verification boxes, tricking users into following instructions to "fix" the issue.

Another trick? CastleLoader uses fake GitHub repositories that look like legitimate tools. If users unknowingly download these, they're infecting their machines with malware.

"This technique plays on developers' trust in GitHub and their willingness to run installation commands from repositories that seem trustworthy," PRODAFT noted.

This social engineering tactic is similar to those used by initial access brokers (IABs), highlighting its role in the larger cybercrime ecosystem.

PRODAFT has seen Hijack Loader being delivered via DeerStealer and CastleLoader, with CastleLoader also spreading different versions of DeerStealer. This suggests that these campaigns are interconnected, even if they're being run by different groups.

Since May 2025, CastleLoader campaigns have used seven different C2 servers. Over 1,634 infection attempts have been recorded during that time. Analysis of the C2 infrastructure and its web-based panel shows that at least 469 devices were compromised, resulting in an infection rate of about 28.7%.

Researchers also found anti-sandboxing and obfuscation techniques, common in advanced loaders like SmokeLoader or IceID. Combined with PowerShell abuse, GitHub impersonation, and dynamic unpacking, CastleLoader demonstrates a growing trend toward stealthy malware loaders that act as stagers in malware-as-a-service (MaaS) schemes.

"Castle Loader is a new and active threat, quickly being adopted by various malicious campaigns to deploy other loaders and stealers," PRODAFT said. "Its sophisticated anti-analysis techniques and multi-stage infection process make it an effective primary distribution method in today's threat landscape."

"The C2 panel shows operational capabilities typically seen in malware-as-a-service (MaaS) offerings, suggesting the operators have experience building cybercriminal infrastructure."