CastleLoader malware campaign uses fake CAPTCHA 'ClickFix' prompts to trick users into executing PowerShell commands downloading Python-based loaders. ClickFix launches hidden conhost.exe, fetches tar archive, unpacks into AppData, runs windowless Python interpreter. Python bytecode reconstructs and decrypts CastleLoader shellcode entirely in memory—no executable on disk. Shellcode retrieves final stage using hardcoded 'GoogeBot' user agent. Applies PEB Walking (scans Process Environment Block to resolve APIs) and XOR-decrypts payload before in-memory execution. Replaces earlier AutoIt droppers with compact Python loader. Targets corporate environments where Python already installed. Blackpoint linked via network markers—GoogeBot user agent appeared in 2025 CastleLoader traffic.

📂 Malware & Ransomware

CastleLoader Malware Uses ClickFix Prompts and Python Loader Chain