DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

LummaStealer Is Getting a Second Life Alongside CastleLoader
#LummaStealer #CastleLoader
https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader

Once-hobbled #LummaStealer is back with lures that are hard to resist

https://arstechnica.com/security/2026/02/once-hobbled-lumma-stealer-is-back-with-lures-that-are-hard-to-resist/

#malware #Castleloader #Lumma #cybersecurity

Once-hobbled Lumma Stealer is back with lures that are hard to resist https://arstechni.ca/9U5H #castleloader #infostealer #Security #clickfix #malware #Biz&IT #lumma

👾 #CastleLoader thrives on silence: obfuscation, staged payloads, rotating infrastructure.

⚠️ 28.7% infection rate using #ClickFix + fake GitHub repos. Targets logistics, government, and developers.

See how SOCs can fight back: https://any.run/malware-trends/castleloader/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_mtt&utm_term=020226&utm_content=linktomtt

🚨 #CastleLoader attacks government agencies, compromising up to 400 devices at once

Its unusual process hollowing via an AutoIt3 script is hard for EDR to detect. See the malware exposed in real time: https://app.any.run/tasks/f4f33499-21b9-4423-9ed5-4e156648a4c4/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_case&utm_term=220126&utm_content=linktoservice

👨‍💻 Read the analysis: https://any.run/cybersecurity-blog/castleloader-malware-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_case&utm_term=220126&utm_content=linktoblog

#cybersecurity #infosec

📢⚠️ A new CastleLoader variant linked to at least 469 infections, hitting US government agencies and critical sectors across Europe.

Read: https://hackread.com/castleloader-variant-infections-critical-sectors/

#CyberSecurity #Malware #CastleLoader #USGov #Europe

🚨 #CastleLoader attacks government agencies, compromising up to 400+ devices at once.

Its unusual process hollowing via an AutoIt3 script is hard for EDR to detect.

See full analysis with extracted runtime config, C2s, and #IOCs 👇
https://any.run/cybersecurity-blog/castleloader-malware-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_malware_analysis&utm_term=130126&utm_content=linktoblog

#cybersecurity #infosec

📢 GrayBravo: quatre clusters CastleLoader ciblent plusieurs secteurs avec phishing ClickFix et C2 redondants
📝 Selon Insikt Group (Recorded Future), avec une...
📖 cyberveille : https://cyberveille.ch/posts/2025-12-10-graybravo-quatre-clusters-castleloader-ciblent-plusieurs-secteurs-avec-phishing-clickfix-et-c2-redondants/
🌐 source : https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries
#CastleLoader #ClickFix #Cyberveille

CastleLoader malware, known for Clickfix related attack, has been upgraded with a stealthy Python loader that helps it slip past security defenses.

Read: https://hackread.com/castleloader-malware-python-loader-bypass-security/

#CyberSecurity #Malware #InfoSec #CastleLoader #ClickFix

GrayBravo expands its CastleLoader campaigns across four activity clusters, impersonating Booking.com & DAT Freight, using ClickFix phishing, malicious MSI installers, and layered MaaS infrastructure.

Full analysis:
https://www.technadu.com/graybravo-expands-castleloader-malware-operations-with-distinct-activity-clusters-impersonates-booking-and-dat-freight/615415/

#GrayBravo #CastleLoader #ThreatIntel #Malware #CyberSecurity #MaaS #Phishing

Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2

#Stealc #CASTLELOADER #NightshadeC2

Aliases provided by Malpedia.

Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2

#Stealc #CASTLELOADER #NightshadeC2

Aliases provided by Malpedia.

Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2

#Stealc #CASTLELOADER #NightshadeC2

Aliases provided by Malpedia.

Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2

Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2

#Stealc #CASTLELOADER #NightshadeC2

Aliases provided by Malpedia.

Here's the full infection chain:

• 198.211.110.107:79 finger connects to finger[.]cloudyape[.]com
• 172.67.190.68:80 curl tries cloudyape[.]com/uvey.php?holt=2 but server responds with '301 Moved Permanently' and redirects to HTTPS
• 172.67.190.68:443 dropper download
• 172.67.190.68:80 curl gets cloudyape[.]com/uvey.php?holt=1 server redirects to HTTPS
• 172.67.190.68:443 dropper download
• 170.130.165.201:80 Download of file4.bin (#StealC) with fake GoogeBot user agent
• 170.130.165.201:80 #StealC v2 C2 / exfiltration
• 170.130.55.38:80 #CastleLoader traffic
• 194.76.227.242:9999 #CastleRAT C2 traffic

📢 CastleLoader : un loader modulaire cible des entités gouvernementales US via ClickFix et faux dépôts GitHub
📝 Selon PolySwarm (référence : blog.polyswarm.io), CastleLoader est un loader de malware sophistiqué apparu début 2025 qui...
📖 cyberveille : https://cyberveille.ch/posts/2025-08-10-castleloader-un-loader-modulaire-cible-des-entites-gouvernementales-us-via-clickfix-et-faux-depots-github/
🌐 source : https://blog.polyswarm.io/castleloader
#C2 #CastleLoader #Cyberveille