AI Defense Lessons From GrayBravo’s CastleLoader

A malware operation doesn’t need “zero-days everywhere” to hurt you. It needs scale, speed, and believable stories—and GrayBravo’s CastleLoader ecosystem checks all three boxes.

Recorded Future tracked GrayBravo (previously TAG-150) as a fast-moving, technically capable operator that appears to run a malware-as-a-service (MaaS) model. The headline detail isn’t just that CastleLoader exists. It’s that investigators can now see four separate activity clusters using it—each with different lures, infrastructure patterns, and victim profiles. That’s the modern problem: defenders aren’t facing one campaign, they’re facing an ecosystem.

This is where AI in cybersecurity earns its budget. Not with vague promises, but by doing the unglamorous work humans can’t keep up with: clustering infrastructure at internet scale, detecting phishing “micro-patterns,” and spotting campaign changes the moment a threat actor pivots. GrayBravo is a clean case study for how to turn threat intelligence into real-time defense.

GrayBravo isn’t one campaign—it's a delivery platform

GrayBravo’s most important trait is operational design: CastleLoader is built to be reused and resold, and it shows. Investigators found distinct clusters that don’t share obvious infrastructure or tactics, which strongly supports MaaS-style usage.

What “MaaS behavior” looks like in the real world

When a loader is offered as a service, you typically see:

• Multiple second-stage payloads delivered through a common initial loader (infostealers, RATs, additional loaders)
• Many admin panels and staging domains, often spun up and torn down quickly
• Infrastructure redundancy, so takedowns don’t stop operations
• Different targeting styles (industry-specific vs broad consumer lures)

GrayBravo checks those boxes. CastleLoader has been observed distributing payloads like HijackLoader, Rhadamanthys, zgRAT, and also feeding into CastleRAT activity.

Why this matters to defenders

Most companies still build detection as if they’re fighting a single “named threat.” But MaaS flips the math: even if you identify the malware family, you still need to stop a rotating set of affiliates who constantly change:

• phishing themes (logistics vs travel)
• landing pages and redirect chains
• hosting providers and domains
• payload mixes

AI-driven detection becomes less optional when the attacker’s core strategy is continuous variation.

The ClickFix problem: social engineering that beats “security awareness”

The fastest route into many organizations in 2025 is still email—especially during end-of-year pressure when teams are approving invoices, reviewing contracts, closing shipments, and finalizing travel.

GrayBravo-linked clusters leaned heavily on ClickFix, a technique that instructs the user to copy/paste and run commands (often PowerShell) under the guise of fixing a viewing or signing problem. That’s not a “dumb user” attack. It’s a workflow hijack attack.

Cluster example: Logistics lures (TAG-160)

TAG-160 impersonated logistics firms, spoofed legitimate senders, abused freight-matching platforms, and used DocuSign-themed pages to push ClickFix steps that ultimately ran a command to:

• download an archive from remote infrastructure
• execute malware (including Python-based execution via pythonw.exe)
• display decoys to reduce suspicion

This cluster also used tactics that create high credibility:

• typosquatted domains that look right at a glance
• re-registered domains that used to belong to legitimate logistics businesses
• signals of compromised infrastructure and credential abuse

Cluster example: Booking.com lures (TAG-161 and separate Booking-themed cluster)

A separate cluster impersonated Booking.com using large sets of lookalike domains and ClickFix, delivering CastleLoader and Matanbuchus (a pricey downloader MaaS reportedly renting for $10,000/month (HTTPS) or $15,000/month (DNS)). Another Booking-themed cluster used Steam Community profiles as dead drops to resolve C2 domains dynamically.

If you’re a defender, here’s the uncomfortable truth: users copy/pasting commands is a detection problem, not a training problem. Training helps, but attackers are optimizing for moments when training loses.

Where AI helps specifically with ClickFix

AI can catch ClickFix-style intrusions earlier by correlating weak signals that look benign alone:

• sudden surges of emails with similar phrasing and “link expiring” urgency
• landing pages that reuse structural elements (HTML/JS fingerprints) across many domains
• unusual endpoint behavior after a browser interaction (clipboard + PowerShell spawn patterns)
• sequences like browser → PowerShell → download → archive extraction → pythonw.exe

A good model doesn’t need perfect malware signatures. It needs to recognize the shape of the attack chain.

Infrastructure clustering is the real battle—and AI can actually win it

GrayBravo’s operations show why static blocking lists feel inadequate. The operation used multi-tier infrastructure (victim-facing C2 plus deeper tiers that likely support operations and resilience), plus redundancy patterns in CastleRAT communications.

Redundancy as a signal, not a nuisance

Investigators observed compromised hosts communicating with multiple CastleRAT C2 servers nearly simultaneously, suggesting deliberate redundancy. That matters because it creates measurable network behavior:

• parallel outbound connections to separate servers in close time windows
• repeated handshake patterns and custom protocol behavior
• clusters linked by shared cryptographic material (for example, RC4 key groupings)

Security teams often treat this as “noise.” I think that’s backwards. Redundancy is a signature of mature operators, and AI excels at spotting repeatable patterns across large telemetry sets.

What to ask your SOC and tooling vendors

If you’re evaluating AI-powered cybersecurity controls, ask questions that map directly to this case:

1. Can you cluster domains and IPs by infrastructure traits, not just known bad IoCs? (WHOIS SOA reuse, certificate reuse, hosting ASN patterns, redirect infrastructure)
2. Can you detect campaign pivots quickly—for example, when a threat actor moves from logistics to travel lures?
3. Can you correlate endpoint + email + network signals into one incident timeline?
4. Do you support huntable detections (Sigma-like logic) plus behavior analytics, so you’re not stuck waiting for signatures?

If the answer is “we detect known malware hashes,” you’re buying last year’s protection.

Turning GrayBravo’s TTPs into practical, AI-assisted defenses

The point of threat research is action. Here are defensive moves that map cleanly to GrayBravo-style activity, with a practical “AI angle” for each.

1) Defend against impersonation at the identity layer

Do this:

• enforce DMARC with alignment and monitor lookalike sender domains
• quarantine first-time senders that mimic vendors (logistics, travel, e-sign)
• watch for reply-to mismatches and newly observed sender domains

AI angle: use ML-based brand impersonation scoring that weighs domain similarity, header anomalies, and historical relationship graphs (who emails whom, how often, and about what).

2) Detect ClickFix by behavior, not keywords

Do this:

• alert when PowerShell is launched shortly after browser sessions from user profile paths
• monitor clipboard-to-shell patterns (copy/paste bursts preceding execution)
• restrict PowerShell where feasible and enforce Constrained Language Mode for non-admin users

AI angle: sequence models can flag suspicious event choreography even if the command string changes.

3) Treat “legitimate internet services” as potential covert channels

Some activity referenced unusual use of legitimate services (for example, paste sites) for staging or resolver-like behavior.

Do this:

• baseline outbound access to file-sharing/paste services by user group
• alert on first-time access plus concurrent suspicious process execution

AI angle: anomaly detection works well here because “normal” is stable for most business units.

4) Prioritize hosting/ASN risk intelligently

Research highlighted patterns tied to suspicious hosting ecosystems (including AS clusters linked to bulletproof hosting narratives).

Do this:

• enrich outbound connections with ASN reputation and campaign history
• apply stricter controls (MFA prompts, step-up auth, sandboxing) for risky destinations

AI angle: graph-based risk scoring can combine ASN, certificate data, passive DNS, redirect topology, and historical incidents.

5) Use detections that survive payload changes

GrayBravo-linked activity delivered multiple payload families. If you key only on one, you’ll miss the rest.

Do this:

• hunt for loader behaviors: staged downloads, suspicious DLL sideloading, archive extraction to temp, rapid Defender exclusion attempts
• monitor for geo-IP lookup behavior used by malware families (for example, calls to IP geolocation services)

AI angle: behavioral clustering catches “loader-like” activity even when the second stage changes.

A practical stance: If your security stack can’t connect email, endpoint, and network telemetry into one story within minutes, MaaS crews will keep slipping through.

What this means for 2026 security planning

GrayBravo’s CastleLoader clusters underline a trend that’s not slowing down: criminal ecosystems are specializing. One team builds infrastructure. Another writes malware. Affiliates run targeted campaigns (logistics) or broad consumer-style lures (travel). The result is faster iteration than most SOCs can match manually.

AI doesn’t replace analysts here; it changes what analysts can spend time on. Let the systems do the heavy lifting:

• cluster new infrastructure the moment it appears
• score phishing waves by similarity and intent
• spot behavioral chains like ClickFix before payloads fully deploy

Then let humans make the hard calls: scoping impact, coordinating response, and hardening business workflows.

If you’re thinking about AI in cybersecurity as a shiny add-on, GrayBravo is the counterargument. AI is how you keep pace when one loader turns into four clusters—and four clusters turn into forty. What would your detection and response look like if that scaling already started inside your environment?