“`html
A complex new malware framework known as CastleBot has surfaced as a considerable danger to cybersecurity, functioning as a Malware-as-a-Service (MaaS) platform that permits cybercriminals to launch various harmful payloads, including infostealers and backdoors associated with ransomware incidents.
Initially appearing in early 2025, the malware has shown exceptional adaptability and technical prowess, with activity levels escalating dramatically starting in May 2025.
CastleBot’s main distribution technique involves trojanized software installers downloaded from fraudulent sites, utilizing SEO poisoning methods that elevate malicious pages above genuine software distributors in search engine rankings.
This strategy entices unwary users into initiating infections themselves, reflecting a rising trend in cybercrime where social engineering takes the place of conventional technical exploits.
The malware has also been propagated through GitHub repositories masquerading as legitimate software and via the increasingly favored ClickFix method.
The framework’s adaptability is evident through its implementation of several high-impact payloads, including NetSupport and WarmCookie backdoors that have been directly associated with ransomware operations.
IBM analysts recognized CastleBot as part of a more extensive ecosystem facilitating ransomware attacks, pointing out that the malware enables operators to conveniently filter victims, oversee ongoing infections, and deploy malware to high-value targets with precision.
What renders CastleBot especially alarming is its three-stage architecture comprising a stager/downloader, a loader, and a core backdoor element.
This modular design offers operators remarkable flexibility in payload deployment whilst complicating detection attempts.
The malware interacts with command and control servers to solicit specific tasks, permitting dynamic campaign management and real-time payload updates based on victim profiling.
Three-Stage Infection Chain
CastleBot’s technical ingenuity lies in its multi-layered infection mechanism that commences with a lightweight shellcode stager.
This initial element downloads two payloads via HTTP requests utilizing the User Agent “Go” with different suffixes across samples.
.webp)
The stager fetches files from URLs such as http://173.44.141.89/service/download/data_3x.bin and http://173.44.141.89/service/download/data_4x.bin, which are subsequently decrypted using hardcoded XOR strings like “GySDoSGySDOS”.
The malware utilizes the DJB2 hashing algorithm for API resolution at runtime, complicating static analysis.
Upon successful payload retrieval, the stager employs VirtualProtect to enable execution on the heap, directly executing the CastleBot Loader component in memory while passing the core backdoor as an argument.
The CastleBot Loader represents a comprehensive PE loader that maps sections into memory regions allocated using NtAllocateVirtualMemory.
Significantly, it creates new LDR_DATA_TABLE_ENTRY and LDR_DDAG_NODE structures, appending them to the PEB_LDR_DATA linked lists to make injected payloads seem legitimately loaded by the operating system, effectively circumventing EDR detection methodologies that monitor the Process Environment Block.
“`