ANY.RUN Publishes a Deep Dive into CastleLoader, Stealthy Threat to Government Agencies

DUBAI, DUBAI, UNITED ARAB EMIRATES, January 13, 2026 /EINPresswire.com/ — ANY.RUN has released an extensive CastleLoader analysis, detailing the full execution chain of this stealthy malware loader. It’s known to be used in attacks against organizations across multiple industries, including government and critical sectors.

𝐂𝐚𝐬𝐭𝐥𝐞𝐋𝐨𝐚𝐝𝐞𝐫: 𝐖𝐢𝐝𝐞𝐥𝐲 𝐔𝐬𝐞𝐝 𝐄𝐧𝐭𝐫𝐲 𝐏𝐨𝐢𝐧𝐭 𝐟𝐨𝐫 𝐂𝐲𝐛𝐞𝐫 𝐀𝐭𝐭𝐚𝐜𝐤𝐬

CastleLoader is a malicious loader designed to deliver and install additional malware, acting as the entry point for larger cyberattacks. Active since early 2025, it has gained traction due to its high infection rate and versatility, making it both effective and difficult to detect.

It has been documented to impact at least 469 devices, with U.S. government organizations among the most affected targets, alongside IT, logistics, travel, and critical infrastructure sectors across Europe.

𝐊𝐞𝐲 𝐓𝐚𝐤𝐞𝐚𝐰𝐚𝐲𝐬

· CastleLoader is a stealthy first-stage loader used in attacks against government entities and critical industries.

· The malware relies on a multi-stage execution chain (Inno Setup → AutoIt → process hollowing) to bypass security controls.

· The final malicious payload only manifests in memory after the controlled process has been altered, making traditional static detection ineffective.

· CastleLoader delivers stealers and RATs, enabling credential theft and persistent access.

· Full-cycle analysis revealed C2 infrastructure and runtime configuration, producing reliable, actionable IOCs.

The research highlights how threats like CastleLoader challenge traditional detection approaches, and why real-time, behavior-driven intelligence is essential.

Read the full CastleLoader analysis on ANY.RUN’s Cybersecurity blog. The research presents a complete walkthrough of CastleLoader’s behavior and shows how the malware abuses trusted tools and multi-stage execution to evade traditional detection mechanisms.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN provides cutting-edge malware analysis services for SOC and MSSP teams. Among its key solutions are interactive malware analysis solution ANY.RUN sandbox, Threat Intelligence Feeds delivering a real-time threat intelligence stream to security tools, and Threat Intelligence Lookup facilitating fast threat hunting, research, and indicator enrichment.

Over 15,000 companies and organizations streamlined their security workflows with ANY.RUN, empowering analysts of all tiers to conduct faster triage, response, and investigation.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X

Legal Disclaimer:

EIN Presswire provides this news content “as is” without warranty of any kind. We do not accept any responsibility or liability
for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this
article. If you have any complaints or copyright issues related to this article, kindly contact the author above.