New CastleLoader Variant Linked to 469 Infections Across Critical Sectors

ANY.RUN report reveals how the new CastleLoader malware targets US government agencies using stealthy ClickFix tricks and memory-based attacks to bypass security.

A new name is surfacing in cyber intelligence reports that has security teams on edge. Known as CastleLoader, it has become a go-to tool for attackers targeting high-security environments since early 2025.

As Hackread.com reported in December 2025, earlier versions of CastleLoader were analysed in July and August 2025. Cybersecurity analysis firm ANY.RUN has now detected a newer and more stealthy version.

ANY.RUN researchers identified it as a ‘loader,’ which is essentially a specialised software that acts as a silent entry point for far more destructive attacks. Investigation revealed that CastleLoader has already compromised at least 469 devices, with a heavy focus on US government agencies and critical infrastructure across Europe, including the logistics and travel sectors.

Tricked into Clicking

Researchers noted that CastleLoader ...