[ MALWARE MUTEX INTELLIGENCE DATABASE ]
 ███████╗██╗   ██╗██╗██╗         ███╗   ███╗██╗   ██╗████████╗███████╗██╗  ██╗
 ██╔════╝██║   ██║██║██║         ████╗ ████║██║   ██║╚══██╔══╝██╔════╝╚██╗██╔╝
█████╗  ██║   ██║██║██║         ██╔████╔██║██║   ██║   ██║   █████╗   ╚███╔╝
██╔══╝  ╚██╗ ██╔╝██║██║         ██║╚██╔╝██║██║   ██║   ██║   ██╔══╝   ██╔██╗
 ███████╗ ╚████╔╝ ██║███████╗    ██║ ╚═╝ ██║╚██████╔╝   ██║   ███████╗██╔╝ ██╗
 ╚══════╝  ╚═══╝  ╚═╝╚══════╝    ╚═╝     ╚═╝ ╚═════╝    ╚═╝   ╚══════╝╚═╝  ╚═╝

Advanced Malware Analysis & Threat Intelligence

06:17:09
[ALL_FAMILIES]

CastleLoader

loader1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:
CastleLoader
CATEGORY:
LOADER
DESCRIPTION:
CastleLoader is a loader malware that first emerged in early 2025, designed to distribute various information stealers and remote access trojans (RATs) through Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories. The malware uses PowerShell commands to download and execute secondary payloads including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, and SectopRAT. CastleLoader employs AutoIT scripts to load shellcode into memory and connects to C2 servers for additional payload delivery. The malware has been observed in campaigns targeting government entities and has achieved a 28.7% infection rate among victims who clicked on malicious links.
ALIASES:
Castle Loader
TAGS:
payload_deliverymulti_stageloaderphishingclickfixpowershellautoit

[MUTEX_SIGNATURES](1)

[MUTEX_01]
10KCnWHtIoABhkL2Cl3u
ANALYST: @adhikara13 DATE: 2025-07-29
REFERENCES:
https://app.any.run/tasks/8483dc5f-e69d-4085-8f3f-09702fb60ef9/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:
Unknown
FIRST_OBSERVED:
2025

[SIGMA_RULE]

[STATISTICS]
MUTEX_COUNT:1
THREAT_ACTORS:1
ALIASES:1
TAGS:7
CATEGORY:LOADER
 Malware profile loaded successfully 
 EvilMutex Project v1.0.0 
 Open Source Threat Intelligence Database 
[GITHUB][DOCS]