CastleBot: The New MaaS Framework Fueling Info-Stealer & Ransomware Attacks • Daily CyberSecurity

IBM X-Force has unveiled an in-depth analysis of CastleBot, a newly emerging Malware-as-a-Service (MaaS) framework that is quickly becoming a potent weapon in the cybercrime ecosystem. Designed for flexible malware deployment, CastleBot enables operators to deliver a wide range of payloads — from commodity infostealers to backdoors like NetSupport and WarmCookie, both of which have been linked to ransomware incidents.

“CastleBot is currently used by cyber criminals to deliver everything from infostealers to backdoors like NetSupport and WarmCookie… which have been linked to ransomware attacks,” X-Force reports.

First spotted in early 2025, CastleBot infections surged in May, leveraging trojanized software installers as its primary delivery vector. The malware’s operators are increasingly using fake websites and SEO poisoning to ensure their malicious pages outrank legitimate software distributors.

X-Force warns that “trojanized software packages and installers are often distributed via fake websites… [and] part of a growing trend”, with additional campaigns delivering CastleBot through GitHub impersonation and the ClickFix attack technique.

CastleBot operates through a modular architecture consisting of:

Stager – A lightweight shellcode downloader that fetches both the loader and core components, disguised with techniques like DJB2 API hashing and XOR-based payload decryption.
Loader – A stealthy PE loader that integrates payloads into the target process’s PEB_LDR_DATA lists, making them appear legitimately loaded to EDR solutions.
Core Backdoor – An AP hash-based, ChaCha-encrypted backdoor that retrieves configuration from its C2, filters victims, and executes operator-assigned tasks.

CastleBot’s task execution system is highly flexible, supporting multiple launch methods for EXEs, DLLs, PEs, PowerShell scripts, BAT files, and even MSI installers. Tasks can also enable persistence via scheduled tasks and perform process injection — including a new QueueUserAPC-based injection method designed to evade modern Windows 11 memory checks.

Campaigns observed by X-Force show that a single infection can result in multiple payloads being delivered to the same host, including:

NetSupport RAT – Deployed via fake DocuSign and Okta pages using ClickFix.
WarmCookie backdoor – Previously linked to ransomware operators such as TA866/Asylum Ambuscade.
Infostealers – Including Rhadamanthys, Remcos, DeerStealer, SecTopRAT, HijackLoader, and MonsterV2.

“With the fluidity of payloads and the operator’s ability to add multiple tasks and payloads to a single campaign, CastleBot infection chains are more complex in comparison to traditionally static malware stages,” X-Force warns.

Interestingly, IBM’s researchers note the absence of CastleBot in dark web marketplaces. This may suggest a closed affiliate model, limiting access to vetted partners — a strategy that could make campaigns harder to attribute but more targeted and dangerous.

CastleBot’s rapid evolution — including new execution methods, anti-VM checks, and operator-friendly C2 tasking — reflects a growing professionalization of MaaS operations. The framework’s adaptability allows affiliates to pivot quickly between stealing credentials, maintaining persistent access, and delivering ransomware.

X-Force concludes with a warning:

“Within a few short months… the developers have already added several new features and will likely attempt to keep up with adapting EDR and network security solutions.”

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply