Explore more publications!
Modern Finance Online
Got News to Share?

ANY.RUN Publishes a Deep Dive into CastleLoader, Stealthy Threat to Government Agencies

DUBAI, DUBAI, UNITED ARAB EMIRATES, January 13, 2026 /EINPresswire.com/ -- ANY.RUN has released an extensive CastleLoader analysis, detailing the full execution chain of this stealthy malware loader. Itโ€™s known to be used in attacks against organizations across multiple industries, including government and critical sectors.

๐‚๐š๐ฌ๐ญ๐ฅ๐ž๐‹๐จ๐š๐๐ž๐ซ: ๐–๐ข๐๐ž๐ฅ๐ฒ ๐”๐ฌ๐ž๐ ๐„๐ง๐ญ๐ซ๐ฒ ๐๐จ๐ข๐ง๐ญ ๐Ÿ๐จ๐ซ ๐‚๐ฒ๐›๐ž๐ซ ๐€๐ญ๐ญ๐š๐œ๐ค๐ฌ

CastleLoader is a malicious loader designed to deliver and install additional malware, acting as the entry point for larger cyberattacks. Active since early 2025, it has gained traction due to its high infection rate and versatility, making it both effective and difficult to detect.

It has been documented to impact at least 469 devices, with U.S. government organizations among the most affected targets, alongside IT, logistics, travel, and critical infrastructure sectors across Europe.

๐Š๐ž๐ฒ ๐“๐š๐ค๐ž๐š๐ฐ๐š๐ฒ๐ฌ

ยท CastleLoader is a stealthy first-stage loader used in attacks against government entities and critical industries.

ยท The malware relies on a multi-stage execution chain (Inno Setup โ†’ AutoIt โ†’ process hollowing) to bypass security controls.

ยท The final malicious payload only manifests in memory after the controlled process has been altered, making traditional static detection ineffective.

ยท CastleLoader delivers stealers and RATs, enabling credential theft and persistent access.

ยท Full-cycle analysis revealed C2 infrastructure and runtime configuration, producing reliable, actionable IOCs.

The research highlights how threats like CastleLoader challenge traditional detection approaches, and why real-time, behavior-driven intelligence is essential.

Read the full CastleLoader analysis on ANY.RUNโ€™s Cybersecurity blog. The research presents a complete walkthrough of CastleLoaderโ€™s behavior and shows how the malware abuses trusted tools and multi-stage execution to evade traditional detection mechanisms.

๐€๐›๐จ๐ฎ๐ญ ๐€๐๐˜.๐‘๐”๐

ANY.RUN provides cutting-edge malware analysis services for SOC and MSSP teams. Among its key solutions are interactive malware analysis solution ANY.RUN sandbox, Threat Intelligence Feeds delivering a real-time threat intelligence stream to security tools, and Threat Intelligence Lookup facilitating fast threat hunting, research, and indicator enrichment.

Over 15,000 companies and organizations streamlined their security workflows with ANY.RUN, empowering analysts of all tiers to conduct faster triage, response, and investigation.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share us

on your social networks:
Facebook Facebook LinkedIn LinkedIn
AGPs

Get the latest news on this topic.

SIGN UP FOR FREE TODAY

No Thanks

By signing to this email alert, you
agree to our Terms & Conditions