CastleLoader Analysis: A Deep Dive into Stealthy Loader Targeting Government Sector

    Monday, January 19, 2026 In: Threat Research Print

    Date: 01/19/2026

    Severity: High

    Summary

    CastleLoader is a stealthy first-stage malware used in attacks against government organizations and various industries. It employs a multi-stage execution chain—Inno Setup, AutoIt, and process hollowing—to bypass security defenses. The final payload is deployed only in memory after process manipulation, evading traditional static detection. CastleLoader is designed to deliver information stealers and remote access trojans for credential theft and persistence. By installing follow-on malware, it serves as the foundational entry point of the attack chain.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    http://94.159.113.32/service

    IP Address : 

    94.159.113.32

    Hash :

    9A0960C674378A049B8D9AD0E1C641C3

    0580A364AB986B051398A78D089300CF73481E70

    8B7C1657F4D5CF0CC82D68C1F1A385ADF0DE27D46FC544BBA249698E6B427856

    AFBABA49796528C053938E0397F238FF

    DD029CD4711C773F87377D45A005C8D9785281A3

    FDDC186F3E5E14B2B8E68DDBD18B2BDA41D38A70417A38E67281EB7995E24BAC

    1E0F94E8EC83C1879CCD25FEC59098F1

    9E11E8866F40E5E9C20B1F012D0B68E0D56E85B3

    DFAF277D54C1B1CF5A3AF80783ED878CAC152FF2C52DBF17FB05A7795FE29E79

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://94.159.113.32/service" or url like "http://94.159.113.32/service" or siteurl like "http://94.159.113.32/service"

    Detection Query 2 :

    dstipaddress IN ("94.159.113.32") or srcipaddress IN ("94.159.113.32")

    Detection Query 3 :

    md5hash IN ("9A0960C674378A049B8D9AD0E1C641C3","AFBABA49796528C053938E0397F238FF","1E0F94E8EC83C1879CCD25FEC59098F1")

    Detection Query 4 :

    sha1hash IN ("DD029CD4711C773F87377D45A005C8D9785281A3","0580A364AB986B051398A78D089300CF73481E70","9E11E8866F40E5E9C20B1F012D0B68E0D56E85B3")

    Detection Query 5 :

    sha256hash IN ("FDDC186F3E5E14B2B8E68DDBD18B2BDA41D38A70417A38E67281EB7995E24BAC","8B7C1657F4D5CF0CC82D68C1F1A385ADF0DE27D46FC544BBA249698E6B427856","DFAF277D54C1B1CF5A3AF80783ED878CAC152FF2C52DBF17FB05A7795FE29E79")

    Reference:

    https://any.run/cybersecurity-blog/castleloader-malware-analysis/


    Tags

    RATMalwareCastleLoaderGovernment Services and FacilitiesCredentialTheftInfostealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.