A sophisticated malware loader known as CastleLoader<\/strong><\/a> has emerged as a critical threat to US government agencies and critical infrastructure organizations.<\/p>\n First identified in early 2025, this stealthy malware has been used as the initial access point in coordinated attacks targeting multiple sectors including federal agencies, IT firms, logistics companies, and essential infrastructure providers across North America and Europe. <\/p>\n Security researchers have documented that a single CastleLoader campaign impacted approximately 460 distinct organizations, with particular focus on compromising government systems in the United States.<\/p>\n CastleLoader operates as a multi-stage loader that delivers secondary payloads directly into system memory, making it exceptionally difficult for traditional security defenses to detect. <\/p>\n The malware\u2019s primary function is to establish an initial foothold on compromised systems, after which it deploys more dangerous tools including information stealers and remote access trojans that give attackers complete control over infected networks. <\/p>\n The loader\u2019s universal nature and high infection rate have made it a preferred tool among threat actors who seek to compromise high-value targets while evading detection systems.<\/p>\n View analysis\u00a0<\/strong><\/a><\/p>\n The attack vector for CastleLoader typically involves social engineering techniques known as ClickFix, where victims are deceived through fake software update prompts or system verification messages.<\/p>\n When users comply with these fake requests, they unknowingly execute malicious commands that deliver CastleLoader as the second stage of the attack chain. <\/p>\n This deceptive approach has proven remarkably effective at bypassing user awareness training and initial security controls.<\/p>\n Any.Run analysts and researchers noted<\/strong><\/a> the malware\u2019s sophisticated architecture during their detailed investigation, identifying a carefully orchestrated execution chain designed specifically to evade modern security tools.<\/p>\n The analysis revealed that CastleLoader does not operate as a simple executable but instead relies on a complex layered approach that makes every stage appear relatively benign on first inspection.<\/p>\n This method allows the malware to distribute its malicious activity across multiple legitimate-looking processes, effectively hiding in plain sight.<\/p>\n Prevent attacks by tapping into\u00a099% unique IOCs\u00a0Integrate TI Feeds for better proactive defense CastleLoader\u2019s infection mechanism represents a masterclass in stealth and obfuscation. <\/p>\n The malware arrives packaged as an Inno Setup installer file containing multiple components, including AutoIt3.exe and a compiled AutoIt script stored as freely.a3x. <\/p>\n When executed, the AutoIt script initiates the critical next phase: launching the jsc.exe process (a legitimate JScript.NET compiler) with the CREATE_SUSPENDED flag, which pauses the process immediately after creation.<\/p>\n Rather than executing in this suspended state, the malware implements a refined process hollowing technique that injects a fully functional PE executable directly into the jsc.exe memory space. <\/p>\n The technique follows this sequence: first, memory is allocated within the target process using VirtualAllocEX with PAGE_EXECUTE_READWRITE permissions, allowing code execution from the newly allocated area. <\/p>\n Next, the malicious PE image is written into this memory region using WriteProcessMemory. The malware then extracts the PEB (Process Environment Block) address and overwrites the ImageBaseAddress field, ensuring the injected code loads at the correct memory location.<\/p>\n This approach differs from traditional process hollowing techniques, which typically use NtUnmapViewOfSection to remove the original process memory. <\/p>\n By skipping this step, CastleLoader avoids triggering detection mechanisms that monitor for this suspicious activity pattern. The final stages involve SetThreadContext to redirect execution to the injected payload\u2019s entry point, followed by ResumeThread to begin execution. <\/p>\n This entire sequence keeps the malicious code confined to memory without creating suspicious artifacts on disk until initialization completes.<\/p>\n The result is a fully functional malware<\/a> module that exists only in the target process\u2019s memory space after alteration, rendering traditional static signature-based detection ineffective. <\/p>\n Security monitoring tools that rely on process behavior analysis struggle because each individual component appears legitimate when examined separately. <\/p>\n Static file signatures, behavioral heuristics, and conventional process monitoring systems prove unable to detect this sophisticated execution model, making CastleLoader an exceptionally dangerous threat to organizations lacking modern memory-based detection capabilities and endpoint detection and response solutions.<\/p>\n Experience how ANY.RUN\u2019s solutions can power your SOC: Start 14-Day Trial\u00a0<\/a><\/strong><\/p>\n<\/p>\n The post Stealthy CastleLoader Malware Attacking US Government Agencies and Critical Infrastructure<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgvTGQrMXCQj06stCBRElrzCNt2bJoBtpnghbozBjZ1DMSYboOq9BkICBww9JuMDBko0UZuNdl0rJZwUdL3RQNcglluXsH2TLTR4LaLCzlzTUMd_4sL3x691GBKI7HCNwovpTRaTOiQRN8VwySkiBAedfJo3-a0oDC7s_LiTBwtq_IzWyvXkKWPFTCFVA8\/s16000\/The%2520launch%2520of%2520CastleLoader%2520sample%2520showing%2520suspicious%2520processes%2520and%2520network%2520activities%2520detected%2520%28Source%2520-%2520Any.Run%29.webp?ssl=1\")
![\"CastleLoader](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtkqqrOA_ERuoB6KG45ZyGKPwFLtXkCVLgEcuiNiOE6vA_dHZTtK_489E-hXtLuDIeJoDAgs0yeCFspAWllrn4_aKPkfnK9gzlLXc8S2kdxVZvYqXU90V4cgCojGLOH-nbJJ-_NyCs3lHr-RopkkTFt_4u2KLRM7-oWDVw1Gww95sMI55MagYGvcvxOQ4\/s16000\/CastleLoader%2520installer%2520%28Source%2520-%2520Any.Run%29.webp?ssl=1\")
Reach out for details\u00a0<\/a><\/strong><\/p>\nInfection Chain and Evasion Mechanisms<\/strong><\/h2>\n
![\"Files](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgIgaBn03YntmxFEWWOgbXpGkNqgq76y9rVH9v2mnloW-1RO5sqbofF3SWKqXvD0H4Oqd8c0wqmg3WZ7v0PRdr2rEiiuPl9xexW6eeV7TnMpBEI_F5BAv74rZdOD-EIzRZh6Vz3j61ZgdKYIpLFi36rPNROCX-gCstXri3KYLXfGJYWJFy-JlPgGZgT8AE\/s16000\/Files%2520extracted%2520from%2520Inno%2520Setup%2520installer%2520%28Source%2520-%2520Any.Run%29.webp?ssl=1\")
![\"Equates](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgeCwNbFpuVO1JCbu_2ZLBelkMWgurxU1ZDnQD16j1KQQSBUif2cEFDc3UI1-yrqcbTR3sENbggYpcl2-ZwSJqlFMiQ87HmPNj38_LlLPN2fSm7l7KFg3M6bsbTJEahRnRzXq_cloLbQK2rjNNcQIQLzQKaXQsFeXOODM_OnP0Qeg7RTzVpNvONIbnXRW4\/s16000\/Equates%2520table%2520%28Source%2520-%2520Any.Run%29.webp?ssl=1\")
Dynamic analysis from ANY.RUN: Boost DR by\u00a036%, cut MTTR by\u00a021 minutes<\/strong> - Contact for Demo<\/a><\/strong><\/code><\/pre>\n![\"A](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgpvL3hpcPGpWxzWbF9f2lnP7Dp7nWOu8WDtGvoUkS9lzi8Xe86IO1YK0HAmaRw7S-KWUPiR6kyPRSkQ6FQygH20qHiKv08ZzfWHnW3Nn_80spAKWFYgsoAR9booeSc4HGS2qqWd4dsrDgeDmbeqQNVwvMw2zFVY2cTp1HGimyjYKjGbqEut9s4q4COoxM\/s16000\/A%2520breakpoint%2520at%2520WriteProcessMemory%2520%28Source%2520-%2520Any.Run%29.webp?ssl=1\")