A new malware called CastleLoader has been targeting devices through campaigns delivering a variety of information stealers and remote access trojans, according to The Hacker News.
Threat actors rely on the ClickFix technique, using domains that look like document verification systems, browser update notifications, or videoconferencing platforms. Victims are lured to the phony domains where they encounter fake error messages and CAPTCHA verification boxes, followed by requests to follow instructions to fix the problem and trigger the malware infection. CastleLoader also uses fake GitHub repositories that mimic legitimate tools as means of distribution, leading users who inadvertently download them to infect their machines with malware. This technique exploits developers' trust in GitHub and their tendency to run installation commands from repositories that appear reputable," said Swiss cybersecurity company PRODAFT. CastleLoader has compromised 469 devices since May 2025 and has been used to distribute Hijack Loader, Redline, StealC, SectopRAT, NetSupport RAT, and DeerStealer.
Threat actors rely on the ClickFix technique, using domains that look like document verification systems, browser update notifications, or videoconferencing platforms. Victims are lured to the phony domains where they encounter fake error messages and CAPTCHA verification boxes, followed by requests to follow instructions to fix the problem and trigger the malware infection. CastleLoader also uses fake GitHub repositories that mimic legitimate tools as means of distribution, leading users who inadvertently download them to infect their machines with malware. This technique exploits developers' trust in GitHub and their tendency to run installation commands from repositories that appear reputable," said Swiss cybersecurity company PRODAFT. CastleLoader has compromised 469 devices since May 2025 and has been used to distribute Hijack Loader, Redline, StealC, SectopRAT, NetSupport RAT, and DeerStealer.
