New CastleLoader Variant Linked to 469 Infections Across Critical Sectors

CastleLoader’s emergence marks another milestone in the evolution of fileless malware, a class of threats that live exclusively in RAM and leave no trace on disk. First observed in mid‑2025, the loader has rapidly matured, now accounting for 469 confirmed compromises across U.S. federal agencies and European logistics and travel networks. By leveraging a lightweight Inno Setup package and the AutoIt scripting engine, attackers can slip past conventional signature‑based scanners and establish a foothold with minimal exposure. This shift underscores how adversaries are prioritizing stealth over sheer volume.

The infection chain begins with a deceptive “ClickFix” prompt that mimics a Windows update or missing DLL warning, coaxing users into granting execution rights. Once launched, CastleLoader performs process hollowing, hijacking legitimate binaries such as jsc.exe to mask malicious code inside trusted memory spaces. Its memory‑only payload avoids writing files to disk, rendering many endpoint protection platforms blind to its activity. After establishing persistence, the loader reaches out to the hard‑coded C2 address 94.159.113.32, pulling down credential stealers or full‑featured remote‑access trojans for deeper network infiltration.

Defending against CastleLoader requires a layered approach that blends technology with human vigilance. Organizations should deploy behavioral analytics and memory‑monitoring tools capable of spotting anomalous process injection and outbound C2 traffic, while also enforcing strict least‑privilege policies for installer execution. Regular security awareness training can reduce the success rate of ClickFix lures, turning the user from an entry point into a line of defense. As fileless loaders become more prevalent, the cybersecurity market is likely to see accelerated adoption of endpoint detection and response (EDR) platforms that specialize in in‑memory threat hunting.