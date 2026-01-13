MENAFN - EIN Presswire) EINPresswire/ -- ANY has released an extensive CastleLoader analysis, detailing the full execution chain of this stealthy malware loader. It's known to be used in attacks against organizations across multiple industries, including government and critical sectors.

CastleLoader: Widely Used Entry Point for Cyber Attacks

CastleLoader is a malicious loader designed to deliver and install additional malware, acting as the entry point for larger cyberattacks. Active since early 2025, it has gained traction due to its high infection rate and versatility, making it both effective and difficult to detect.

It has been documented to impact at least 469 devices, with U.S. government organizations among the most affected targets, alongside IT, logistics, travel, and critical infrastructure sectors across Europe.

Key Takeaways

· CastleLoader is a stealthy first-stage loader used in attacks against government entities and critical industries.

· The malware relies on a multi-stage execution chain (Inno Setup → AutoIt → process hollowing) to bypass security controls.

· The final malicious payload only manifests in memory after the controlled process has been altered, making traditional static detection ineffective.

· CastleLoader delivers stealers and RATs, enabling credential theft and persistent access.

· Full-cycle analysis revealed C2 infrastructure and runtime configuration, producing reliable, actionable IOCs.

The research highlights how threats like CastleLoader challenge traditional detection approaches, and why real-time, behavior-driven intelligence is essential.

Read the full CastleLoader analysis on ANY's Cybersecurity blog. The research presents a complete walkthrough of CastleLoader's behavior and shows how the malware abuses trusted tools and multi-stage execution to evade traditional detection mechanisms.

