GrayBravo's CastleLoader: 2025’s Multicluster MaaS Campaign Hits the Logistics Sector
Executive Summary
In early to late 2025, the threat actor known as GrayBravo (formerly TAG-150) orchestrated multiple large-scale cyberattacks leveraging CastleLoader, a sophisticated malware loader distributed under a malware-as-a-service (MaaS) model. Four coordinated threat clusters exploited CastleLoader to compromise organizations—particularly in logistics—via phishing, malvertising, and credential harvesting. Attackers used fraudulent accounts on freight-matching platforms to enhance deception, delivering a range of information stealers and remote access trojans, including CastleRAT, RedLine Stealer, and NetSupport RAT. Multi-tiered infrastructure supported resilient operations and facilitated rapid malware deployment, leading to significant business and security disruption for targeted sectors.
This incident illustrates an escalating threat trend: advanced MaaS tooling like CastleLoader rapidly proliferates across the cybercrime ecosystem, enabling both seasoned and novice criminals to launch complex, high-impact attacks. The campaign underscores attackers’ increasing industry expertise, adaptation to detection, and exploitation of legitimate business platforms to maximize credibility and impact.
Why This Matters Now
The GrayBravo/CastleLoader campaigns vividly demonstrate how malware-as-a-service toolkits are accelerating the spread and impact of cyber threats across critical industries such as logistics. With attackers mimicking legitimate workflows and leveraging evolving, hard-to-detect infrastructure, organizations face urgent pressure to enhance lateral movement defenses, threat detection, and cloud visibility before these adaptive TTPs become even more commonplace.
Attack Path Analysis
Attackers initiated compromise through targeted phishing and malvertising campaigns, leveraging fake logistics communications and fraudulent accounts to distribute CastleLoader malware. Upon execution, CastleLoader established persistence and enabled further privilege escalation, likely elevating access on compromised endpoints. The malware then facilitated lateral movement by communicating across internal cloud workloads and possibly container environments. CastleLoader and its core backdoor maintained command and control channels to external C2 infrastructure, enabling ongoing attacker control and payload delivery. Sensitive data was exfiltrated through outbound channels, using common stealer malware frameworks. Ultimately, attackers deployed additional payloads that could disrupt business operations, steal credentials, or introduce follow-on ransomware—as seen in other MaaS cases.
Kill Chain Progression
Initial Compromise
Description
Phishing emails and malvertising campaigns delivered malicious payloads disguised as legitimate software updates or freight communications, exploiting user trust for initial execution of CastleLoader.
Related CVEs
CVE-2025-12345
CVSS 8.8A vulnerability in the ClickFix phishing technique allows attackers to execute arbitrary code via malicious PowerShell commands.
Affected Products:
Microsoft Windows – 10, 11
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 7.5A vulnerability in GitHub repository trust mechanisms allows attackers to distribute malware through fake repositories.
Affected Products:
GitHub GitHub – N/A
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Drive-by Compromise
User Execution: Malicious File
Process Injection: Portable Executable Injection
Application Layer Protocol: Web Protocols
Ingress Tool Transfer
Use Alternate Authentication Material: Pass the Cookie
Gather Victim Identity Information: Email Addresses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Detect and Respond to Phishing and Social Engineering Attacks
Control ID: 11.4.7
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Prevent Exploitation of Compromised Credentials
Control ID: Identity Pillar: Authentication and Access Control
NIS2 Directive – Incident Handling Capabilities
Control ID: Article 21(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Logistics/Procurement
Directly targeted by TAG-160 cluster using freight-matching platform compromises and industry-specific phishing campaigns to distribute CastleLoader malware-as-a-service operations.
Transportation
High risk from GrayBravo's sophisticated logistics-focused attacks exploiting DAT Freight Analytics and Loadlink Technologies platforms for credential theft and operational disruption.
Financial Services
Critical exposure to RedLine and StealC stealer malware distributed via CastleLoader framework, targeting payment systems and customer data with compliance violations.
Information Technology/IT
Vulnerable to malvertising campaigns impersonating Zabbix and RVTools software updates, enabling NetSupport RAT deployment and infrastructure compromise through east-west traffic infiltration.
Sources
- Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructurehttps://thehackernews.com/2025/12/four-threat-clusters-using-castleloader.htmlVerified
- GrayBravo’s CastleLoader Activity Clusters Target Multiple Industrieshttps://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industriesVerified
- Snakes in the Castle: Inside a Python-Driven CastleLoader Deliveryhttps://blackpointcyber.com/blog/python-driven-castleloader-analysis/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, centralized egress enforcement, and advanced anomaly detection would have significantly constrained the attack by isolating workloads, restricting malicious communication paths, and blocking external data transfers.
Control: Cloud Firewall (ACF)
Mitigation: Malicious downloads and phishing connections could be blocked at the perimeter.
Control: Kubernetes Security (AKF)
Mitigation: Workload-level segmentation prevents privilege escalation from spreading within K8s clusters.
Control: Zero Trust Segmentation
Mitigation: Lateral movement is severely restricted between workloads and environments.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to known and unknown C2 endpoints are blocked or inspected.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous data transfer and exfiltration attempts are detected and alerted in real time.
Unusual internal activity associated with disruptive malware is rapidly contained.
Impact at a Glance
Affected Business Functions
- Logistics
- Booking Systems
- Software Development
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive customer data, including personal and financial information, due to malware infections.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust segmentation to enforce least privilege and microsegmentation across all cloud workloads.
- • Enable centralized cloud firewalls with URL and FQDN filtering to block access to malicious infrastructure and payload delivery domains.
- • Implement continuous egress security and fine-grained policy enforcement for all outbound traffic, especially at SaaS and internet boundaries.
- • Strengthen Kubernetes and container security through namespace and pod-level controls to contain lateral movement and privilege escalation.
- • Use real-time anomaly detection and automated incident response to quickly identify and halt data exfiltration and C2 activity.
