A new name is surfacing in cyber‑intelligence reports that has security teams on edge. Known as CastleLoader, it has become a go‑to tool for attackers targeting high‑security environments since early 2025.

As HackRead reported in December 2025, earlier versions of CastleLoader were analysed in July and August 2025. Cyber‑security analysis firm ANY.RUN has now detected a newer and more stealthy version.

ANY.RUN researchers identified it as a loader, which is essentially specialised software that acts as a silent entry point for far more destructive attacks. Investigation revealed that CastleLoader has already compromised at least 469 devices, with a heavy focus on U.S. government agencies and critical infrastructure across Europe, including the logistics and travel sectors.

Tricked into Clicking

Researchers noted that CastleLoader doesn’t always rely on complex hacking; often, it just needs a person to make one mistake. It uses a social‑engineering trick known as ClickFix. In these cases, a user might see a fake “update” or “verification” pop‑up. If the user clicks to “fix” the issue, they are actually giving the malware permission to start its work. The malware often uses a fake message saying:

“The program can’t start because VCRUNTIME140.dll is missing from your computer.”

It’s a clever disguise because it looks like a boring, everyday Windows glitch. While the user is confused, CastleLoader is already busy. It typically arrives as a package using Inno Setup, a common installer tool, and runs a script called AutoIt to prepare the system for the next stage of the attack.

After it successfully invades a system, the malware performs process hollowing. This is a trick where a legitimate Windows tool called jsc.exe is hijacked. According to researchers, the malware “hollows out” the safe code and replaces it with malicious instructions. Because the “bad” code runs inside a “good” program’s memory, most standard antivirus tools won’t even flag it.

Further probing revealed that once CastleLoader is settled in, it calls back to a command‑and‑control server at the address 94.159.113.32. From there, it can download information stealers to grab passwords or RATs (Remote Access Trojans) to give a stranger total control of the network.

What is most dangerous is that CastleLoader uses memory‑based attacks. Instead of saving a visible file to the hard drive, the malicious code hides entirely in the computer’s temporary memory (RAM). Since it never leaves a permanent file, it acts like a ghost, allowing it to evade standard antivirus programs that only scan for bad files on the disk. Because this malware is so evasive, traditional security measures are usually unable to detect it.

CastleLoader’s discovery proves that the best defence is a mix of smart technology and staying alert. While security experts work to block the technical backdoors, our own caution with suspicious pop‑ups remains the strongest shield we have against digital threats.

---

About the author

Deeba Ahmed is a veteran cybersecurity reporter at HackRead.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in‑depth analysis make her a key contributor to the platform’s trusted coverage.