CastleLoader Malware Now Uses Python Loader to Bypass Security

Cybersecurity researchers at Blackpoint Cyber discovered a new, evasive CastleLoader malware variant using Python and ClickFix social engineering to deliver RATs and info-stealers directly from memory.

A critical shift in cyberattack methods has been found by Blackpoint Cyber’s Adversary Pursuit Group. Their research, shared with Hackread.com, shows that CastleLoader, a malware first reported and analyzed around July and August of 2025, is getting a new, stealthier upgrade. The includes attackers now using the Python programming language to make their delivery system harder to spot.

The Deceptive Delivery Method

CastleLoader has traditionally been delivered using a sneaky social engineering attack called ClickFix, where attackers trick people into typing a command into the Windows Run box (by pressing the Win + R keys), typically disguised as a human verification step or a fix for a fake error.

This single command then secretly activates built-in Windows tools like curl.exe and tar ...