CastleLoader Malware Hits 400+ Devices via Cloudflare-Themed ClickFix Phishing Attack

CastleLoader, a sophisticated malware loader, has compromised over 400 devices since its debut in early 2025, with cybersecurity firm PRODAFT reporting 469 infections out of 1,634 attempts by May 2025, achieving a staggering 28.7% success rate.

This modular threat actor leverages advanced phishing techniques, including Cloudflare-themed ClickFix lures and deceptive GitHub repositories, to deploy a arsenal of secondary payloads such as information stealers and remote access trojans (RATs).

Threat Targets U.S. Government Entities

Notably, U.S. government entities have emerged as prime targets, underscoring the malware’s potential for widespread disruption in critical infrastructure sectors.

According to the report, Analysts at PolySwarm have flagged CastleLoader as an emerging high-impact threat, emphasizing its ability to exploit trusted platforms and human vulnerabilities to bypass conventional security measures.

CastleLoader’s attack chain begins with phishing campaigns that mimic legitimate services, often presenting victims with fake error messages or CAPTCHA challenges ...