home.social

#castleloader — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #castleloader, aggregated by home.social.

  1. Squiblydoo @[email protected] ·

    FUD #CastleLoader being distributed via malvertizing.
    785ba9c42deca8cfc69f1aafb371802782d01bc8156a67c5c0d412c5fb3b4e33

    C2: astroflightvision[.]com

    The signer, "Soft Insanity Oy" led us to find other FUD malware from November.
    1/3

    #castleloader
  2. TechNadu @[email protected] ·

    DNS-based staging via ClickFix represents tactical evolution.

    Per Microsoft:
    • Cmd.exe → nslookup execution
    • Hardcoded external DNS resolver
    • Payload embedded in DNS Name: response
    • ZIP retrieval from azwsappdev[.]com
    • Python-based reconnaissance
    • VBScript persistence via Startup LNK
    • ModeloRAT deployment
    • Lumma Stealer distribution via CastleLoader (GrayBravo)

    Campaign telemetry also discussed by Bitdefender and Kaspersky.

    DNS offers:
    • Reduced dependency on HTTP
    • Traffic blending with legitimate queries
    • Lightweight validation signaling

    Detection priorities:
    • Anomalous nslookup patterns
    • External DNS resolver usage
    • Suspicious Startup LNK creation
    • DNS response content inspection

    Is your EDR correlating DNS queries with process lineage?
    Engage below.
    Follow @technadu for advanced threat analysis.

    #ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

    #threatintel #clickfix #dnsstaging #modelorat #lummastealer #castleloader
  3. TechNadu @[email protected] ·

    DNS-based staging via ClickFix represents tactical evolution.

    Per Microsoft:
    • Cmd.exe → nslookup execution
    • Hardcoded external DNS resolver
    • Payload embedded in DNS Name: response
    • ZIP retrieval from azwsappdev[.]com
    • Python-based reconnaissance
    • VBScript persistence via Startup LNK
    • ModeloRAT deployment
    • Lumma Stealer distribution via CastleLoader (GrayBravo)

    Campaign telemetry also discussed by Bitdefender and Kaspersky.

    DNS offers:
    • Reduced dependency on HTTP
    • Traffic blending with legitimate queries
    • Lightweight validation signaling

    Detection priorities:
    • Anomalous nslookup patterns
    • External DNS resolver usage
    • Suspicious Startup LNK creation
    • DNS response content inspection

    Is your EDR correlating DNS queries with process lineage?
    Engage below.
    Follow @technadu for advanced threat analysis.

    #ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

    #threatintel #clickfix #dnsstaging #modelorat #lummastealer #castleloader
  4. TechNadu @[email protected] ·

    DNS-based staging via ClickFix represents tactical evolution.

    Per Microsoft:
    • Cmd.exe → nslookup execution
    • Hardcoded external DNS resolver
    • Payload embedded in DNS Name: response
    • ZIP retrieval from azwsappdev[.]com
    • Python-based reconnaissance
    • VBScript persistence via Startup LNK
    • ModeloRAT deployment
    • Lumma Stealer distribution via CastleLoader (GrayBravo)

    Campaign telemetry also discussed by Bitdefender and Kaspersky.

    DNS offers:
    • Reduced dependency on HTTP
    • Traffic blending with legitimate queries
    • Lightweight validation signaling

    Detection priorities:
    • Anomalous nslookup patterns
    • External DNS resolver usage
    • Suspicious Startup LNK creation
    • DNS response content inspection

    Is your EDR correlating DNS queries with process lineage?
    Engage below.
    Follow @technadu for advanced threat analysis.

    #ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

    #malwareanalysis #cyberoperations #infosec #soc #blueteam #detectionengineering
  5. TechNadu @[email protected] ·

    DNS-based staging via ClickFix represents tactical evolution.

    Per Microsoft:
    • Cmd.exe → nslookup execution
    • Hardcoded external DNS resolver
    • Payload embedded in DNS Name: response
    • ZIP retrieval from azwsappdev[.]com
    • Python-based reconnaissance
    • VBScript persistence via Startup LNK
    • ModeloRAT deployment
    • Lumma Stealer distribution via CastleLoader (GrayBravo)

    Campaign telemetry also discussed by Bitdefender and Kaspersky.

    DNS offers:
    • Reduced dependency on HTTP
    • Traffic blending with legitimate queries
    • Lightweight validation signaling

    Detection priorities:
    • Anomalous nslookup patterns
    • External DNS resolver usage
    • Suspicious Startup LNK creation
    • DNS response content inspection

    Is your EDR correlating DNS queries with process lineage?
    Engage below.
    Follow @technadu for advanced threat analysis.

    #ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

    #threatintel #clickfix #dnsstaging #modelorat #lummastealer #castleloader
  6. The Threat Codex @[email protected] ·

    LummaStealer Is Getting a Second Life Alongside CastleLoader
    #LummaStealer #CastleLoader
    bitdefender.com/en-us/blog/lab

    #lummastealer #castleloader
  7. Hackread.com @[email protected] ·

    📢⚠️ A new CastleLoader variant linked to at least 469 infections, hitting US government agencies and critical sectors across Europe.

    Read: hackread.com/castleloader-vari

    #CyberSecurity #Malware #CastleLoader #USGov #Europe

    #cybersecurity #malware #castleloader #usgov #europe
  8. Pyrzout :vm: @[email protected] ·

    CastleLoader Malware Now Uses Python Loader to Bypass Security hackread.com/castleloader-malw #BlackpointCyber #Cybersecurity #CastleLoader #CyberAttack #Security #ClickFix #Malware #Windows #Python

    #blackpointcyber #cybersecurity #castleloader #cyberattack #security #clickfix
  9. Hackread.com @[email protected] ·

    CastleLoader malware, known for Clickfix related attack, has been upgraded with a stealthy Python loader that helps it slip past security defenses.

    Read: hackread.com/castleloader-malw

    #CyberSecurity #Malware #InfoSec #CastleLoader #ClickFix

    #cybersecurity #malware #infosec #castleloader #clickfix
  10. MalwareAlias @[email protected] ·

    Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

    Aliases for Stealc: win.stealc
    Malpedia link for Stealc: malpedia.caad.fkie.fraunhofer.
    Aliases for CASTLELOADER: win.castleloader
    Malpedia link for CASTLELOADER: malpedia.caad.fkie.fraunhofer.
    Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
    Malpedia link for NightshadeC2: malpedia.caad.fkie.fraunhofer.

    #Stealc #CASTLELOADER #NightshadeC2

    Aliases provided by Malpedia.

    #stealc #castleloader #nightshadec2
  11. MalwareAlias @[email protected] ·

    Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

    Aliases for Stealc: win.stealc
    Malpedia link for Stealc: malpedia.caad.fkie.fraunhofer.
    Aliases for CASTLELOADER: win.castleloader
    Malpedia link for CASTLELOADER: malpedia.caad.fkie.fraunhofer.
    Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
    Malpedia link for NightshadeC2: malpedia.caad.fkie.fraunhofer.

    #Stealc #CASTLELOADER #NightshadeC2

    Aliases provided by Malpedia.

    #stealc #castleloader #nightshadec2
  12. MalwareAlias @[email protected] ·

    Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

    Aliases for Stealc: win.stealc
    Malpedia link for Stealc: malpedia.caad.fkie.fraunhofer.
    Aliases for CASTLELOADER: win.castleloader
    Malpedia link for CASTLELOADER: malpedia.caad.fkie.fraunhofer.
    Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
    Malpedia link for NightshadeC2: malpedia.caad.fkie.fraunhofer.

    #Stealc #CASTLELOADER #NightshadeC2

    Aliases provided by Malpedia.

    #stealc #castleloader #nightshadec2
  13. MalwareAlias @[email protected] ·

    Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

    Aliases for Stealc: win.stealc
    Malpedia link for Stealc: malpedia.caad.fkie.fraunhofer.
    Aliases for CASTLELOADER: win.castleloader
    Malpedia link for CASTLELOADER: malpedia.caad.fkie.fraunhofer.
    Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
    Malpedia link for NightshadeC2: malpedia.caad.fkie.fraunhofer.

    #Stealc #CASTLELOADER #NightshadeC2

    Aliases provided by Malpedia.

    #stealc #castleloader #nightshadec2
  14. 𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @[email protected] ·

    Here's the full infection chain:

    • 198.211.110.107:79 finger connects to finger[.]cloudyape[.]com
    • 172.67.190.68:80 curl tries cloudyape[.]com/uvey.php?holt=2 but server responds with '301 Moved Permanently' and redirects to HTTPS
    • 172.67.190.68:443 dropper download
    • 172.67.190.68:80 curl gets cloudyape[.]com/uvey.php?holt=1 server redirects to HTTPS
    • 172.67.190.68:443 dropper download
    • 170.130.165.201:80 Download of file4.bin (#StealC) with fake GoogeBot user agent
    • 170.130.165.201:80 #StealC v2 C2 / exfiltration
    • 170.130.55.38:80 #CastleLoader traffic
    • 194.76.227.242:9999 #CastleRAT C2 traffic
    #stealc #castleloader #castlerat
  15. Pyrzout :vm: @[email protected] ·

    CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing – Source:thehackernews.com ciso2ciso.com/castleloader-mal #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #CastleLoader

    #rssfeedpostgeneratorecho #cybersecuritynews #thehackernews #castleloader