{"id":17626,"date":"2026-01-13T08:23:58","date_gmt":"2026-01-13T08:23:58","guid":{"rendered":"\/cybersecurity-blog\/?p=17626"},"modified":"2026-01-13T13:52:53","modified_gmt":"2026-01-13T13:52:53","slug":"castleloader-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/","title":{"rendered":"CastleLoader Analysis: A Deep Dive into Stealthy Loader\u00a0Targeting\u00a0Government Sector"},"content":{"rendered":"\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s<\/a> team conducted an extensive malware analysis of CastleLoader, the first link in the chain of attacks impacting various industries, including government agencies and critical infrastructures.<\/p>\n\n\n\n<p>It&#8217;s a unique walkthrough of its entire execution path, from a packaged installer to C2 server connection, as well as an overview of a parser developed to extract initialized local variables and automatically decode <a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">indicators of compromise<\/a> (IOCs) featured in them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key&nbsp;Takeways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CastleLoader&nbsp;<\/strong>is a stealthy malware loader used as the first stage in attacks against government entities and multiple industries.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It relies on a<strong>&nbsp;multi-stage execution chain<\/strong>&nbsp;(Inno Setup \u2192&nbsp;AutoIt&nbsp;\u2192 process hollowing) to evade detection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The&nbsp;final malicious&nbsp;payload&nbsp;only manifests in memory&nbsp;after the controlled process has been altered,<strong>&nbsp;making traditional static detection ineffective.<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CastleLoader&nbsp;delivers&nbsp;<strong>information&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/stealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">stealers<\/a> and <a href=\"https:\/\/any.run\/malware-trends\/rat\/\" target=\"_blank\" rel=\"noreferrer noopener\">RATs<\/a><\/strong>, enabling credential theft and persistent access.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A&nbsp;<strong>full-cycle analysis&nbsp;<\/strong>allowed us to <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\" target=\"_blank\" rel=\"noreferrer noopener\">extract runtime configuration<\/a>, C2 infrastructure, and high-confidence IOCs.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">CastleLoader&nbsp;as&nbsp;an Initial&nbsp;Access Threat&nbsp;<\/h2>\n\n\n\n<p>CastleLoader is a malicious loader malware built to deliver and install other malicious components. It lays the groundwork for the attack, becoming its starting point.<\/p>\n\n\n\n<p>This loader has commonly occurred in cyber attacks since early 2025. It gained popularity due to its high infection rate and universal nature, making it a powerful yet evasive tool.<\/p>\n\n\n\n<p>In several observed campaigns, CastleLoader is delivered through the <a href=\"https:\/\/any.run\/cybersecurity-blog\/click-fix-attacks-eric-parker-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">ClickFix social-engineering technique<\/a>, where victims are tricked into manually executing malicious commands via fake verification or update prompts. In these cases, ClickFix acts as the initial access vector, while CastleLoader serves as the second-stage loader that deploys follow-on payloads directly in memory, helping attackers evade traditional file-based detection.<\/p>\n\n\n\n<p>One of CastleLoader\u2019s malicious campaigns is known to impact a total of 469 devices. It became a significant threat to organizations, especially US-based government entities. Its broader scope includes industries like IT, <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-transport-company-monitors-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">logistics<\/a>, travel, and critical infrastructures across Europe.<\/p>\n\n\n\n<p>CastleLoader&nbsp;is dangerous as a link in the chain delivering information stealers&nbsp;and RATs, making credential theft and persistent network access&nbsp;a high risk.&nbsp;<\/p>\n\n\n\n<p>The&nbsp;loader\u2019s popularity&nbsp;has inspired&nbsp;ANY.RUN\u2019s malware analysis team to break down&nbsp;its&nbsp;malicious sample&nbsp;in order to&nbsp;uncover&nbsp;what&nbsp;it\u2019s&nbsp;made of, retrieve&nbsp;signatures, and&nbsp;retrieve&nbsp;malware&nbsp;configurations.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detect&nbsp;CastleLoader&nbsp;and More&nbsp;with Threat Intelligence Feeds&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"656\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-1024x656.png\" alt=\"\" class=\"wp-image-17587\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-1024x656.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-300x192.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-768x492.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-1536x984.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-2048x1312.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-370x237.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-270x173.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/TI-Feeds-1920-v1-740x474.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>How live threat intelligence&nbsp;impacts&nbsp;the key performance metrics<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Modern malware like&nbsp;CastleLoader&nbsp;is designed to evade traditional detection. To keep up with the pace of adversaries, security teams need threat intelligence that reflects&nbsp;what attackers are using right now.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Threat Intelligence Feeds<\/a>&nbsp;provide&nbsp;real-time indicators extracted from live malware executions performed by thousands of SOC teams worldwide.&nbsp;With TI Feeds, they achieve:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster threat detection:<\/strong>&nbsp;Identify&nbsp;active loaders, stealers, and RATs as soon as they appear in real-world attacks&nbsp;thanks to 99% unique data&nbsp;extracted from the latest sandbox analyses by <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\" target=\"_blank\" rel=\"noreferrer noopener\">15K SOCs<\/a> and 500K analysts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Higher confidence decisions:<\/strong>&nbsp;Indicators are backed by execution context, not guesswork or outdated reports.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improved SOC efficiency:<\/strong>&nbsp;Fewer false positives mean less alert fatigue and better use of analyst time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger risk management:<\/strong>&nbsp;Early visibility into emerging malware families helps prevent business disruption.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>By combining real-time sandbox intelligence with immediate IOC delivery, ANY.RUN&#8217;s TI Feeds help organizations stay ahead of fast-evolving threats like\u00a0CastleLoader.\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nPrevent attacks by tapping into <span class=\"highlight\">99% unique IOCs\u00a0<\/span><br>Integrate TI Feeds for better proactive defense\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=castleloader_analysis&#038;utm_term=130126&#038;utm_content=contactus#contact-sales\" target=\"_blank\" rel=\"noopener\">\nReach out for details\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Initial&nbsp;Analysis: Sandbox Telemetry&nbsp;<\/h2>\n\n\n\n<p>The analysis&nbsp;started with&nbsp;ANY.RUN\u2019s <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>&nbsp;detonation.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f4f33499-21b9-4423-9ed5-4e156648a4c4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"512\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-1024x512.png\" alt=\"\" class=\"wp-image-17681\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-1024x512.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-768x384.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-1536x768.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-370x185.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN-740x370.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ANYRUN.png 1857w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The launch of&nbsp;CastleLoader&nbsp;sample in ANY.RUN. Suspicious processes and network activities detected&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>What instantly grabs our&nbsp;attention&nbsp;here&nbsp;is a system process&nbsp;chain, at the end of which a&nbsp;request to 94[.]159[.]113[.]32:80 was sent. To understand this activity better, we switched to the binary analysis.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Static analysis: Inspecting Inno Setup Installer&nbsp;&nbsp;<\/h2>\n\n\n\n<p>To get a&nbsp;basic overview of the binary,&nbsp;let&#8217;s&nbsp;process&nbsp;it via DIE (Detect It Easy).&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"530\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image2.png\" alt=\"\" class=\"wp-image-17634\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image2.png 720w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image2-300x221.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image2-370x272.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image2-270x199.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image2-80x60.png 80w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><figcaption class=\"wp-element-caption\"><em>CastleLoader&nbsp;installer analyzed in Detect It Easy&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It reveals that the binary consists of&nbsp;<strong>Object Pascal<\/strong>&nbsp;(Delphi) and&nbsp;<strong>Inno Setup Module<\/strong>&nbsp;(installer).&nbsp;<\/p>\n\n\n\n<p>The next stage of the analysis requires&nbsp;the use of&nbsp;<strong>innoextract<\/strong>,&nbsp;a tool to unpack installers.&nbsp;We&nbsp;used a fork that allows you to&nbsp;unpack&nbsp;password-protected&nbsp;archives, which came in handy.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"929\" height=\"262\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image3.png\" alt=\"\" class=\"wp-image-17635\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image3.png 929w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image3-300x85.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image3-768x217.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image3-370x104.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image3-270x76.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image3-740x209.png 740w\" sizes=\"(max-width: 929px) 100vw, 929px\" \/><figcaption class=\"wp-element-caption\"><em>Files extracted from Inno Setup installer&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Archive extraction reveals several executables. At this point, it\u2019s <strong>Autolt3.exe<\/strong> and the compiled script <strong>freely.a3x<\/strong> that grab our attention most. These are the files that directly participate in the calling chain. Other files, as it turned out later, aren\u2019t related to the malware execution, and their role is unclear.<\/p>\n\n\n\n<p>Next,&nbsp;let\u2019s&nbsp;use&nbsp;<strong>Autolt-Ripper<\/strong>&nbsp;to extract&nbsp;compiled&nbsp;Autolt&nbsp;scripts from A3X containers. As a result&nbsp;of this, we get&nbsp;a file&nbsp;<strong>script.au3<\/strong>&nbsp;containing&nbsp;24,402 code lines.&nbsp;The majority&nbsp;of&nbsp;this&nbsp;code, which&nbsp;is responsible for&nbsp;the malicious chain,&nbsp;is unreadable:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\" style=\"white-space: pre-wrap; overflow-x: hidden; word-break: break-word;\">\n<code style=\"white-space: pre-wrap; overflow-wrap: anywhere; word-break: break-word;\">\n\/\/&nbsp;A function\u2019s minimal listing&nbsp;\n\nFunc FUNC_38&nbsp;( $XGOHK_KNZJTRNG ,&nbsp;$FRNQQSFKMV_ONCPFFG_IUESI ,&nbsp;$OYJVN )&nbsp;\n\n&nbsp; Local $VAR_2745 &#091;&nbsp;5 ]&nbsp;= &#091;&nbsp;( $FOCOFQYNAZZDTMNK &#091;&nbsp;0 ]&nbsp;&#091;&nbsp;0 ]&nbsp;&lt;= $VAR_1884 ?&nbsp;$APITY_TTXPNVODYF_UOFBAYSHE :&nbsp;51205 )&nbsp;,&nbsp;51215 ,&nbsp;( $DCZH1PQYFZ0_9_S_KG8_Q3 &lt; $WGCOD_JPCLUUNAEM &#091;&nbsp;1 ]&nbsp;?&nbsp;51217 :&nbsp;$HQBFEELFMG_MKBEGBLQI&nbsp;( )&nbsp;) ,&nbsp;( $XCEAEI_JVVDYWYNZG_VYLLS &gt;= $G_HGLSAQTEAFZZZONMJ &#091;&nbsp;6 ]&nbsp;? $GVNKFKFUPA_XKWCWRP_GQDKXPY&nbsp;( )&nbsp;:&nbsp;51193 )&nbsp;,&nbsp;( $UNPBEN &lt; $G_HGLSAQTEAFZZZONMJ &#091;&nbsp;8 ]&nbsp;?&nbsp;51205 :&nbsp;$VAR_1654 &#091;&nbsp;1 ]&nbsp;&#091;&nbsp;7 ]&nbsp;) ]&nbsp;\n\n&nbsp; Local $NWBSM&nbsp;\n\n&nbsp; Local $JIQBD&nbsp;\n\n&nbsp; For $JIQBD =&nbsp;( $MON_GLZO__BPDFZTL &#091;&nbsp;3 ]&nbsp;&gt; $MON_GLZO__BPDFZTL &#091;&nbsp;9 ]&nbsp;?&nbsp;0 :&nbsp;$VAR_364 &#091;&nbsp;0 ]&nbsp;&#091;&nbsp;0 ]&nbsp;) To&nbsp;( $G_HGLSAQTEAFZZZONMJ &#091;&nbsp;6 ]&nbsp;&lt;= $FOCOFQYNAZZDTMNK &#091;&nbsp;0 ]&nbsp;&#091;&nbsp;3 ]&nbsp;? $VBTVZVORQTC :&nbsp;4 )&nbsp;\n\n&nbsp;&nbsp;&nbsp; $NWBSM = $VAR_2745 &#091; $JIQBD ]&nbsp;\n\n&nbsp;&nbsp;&nbsp; $NWBSM -= $JIQBD&nbsp;\n\n&nbsp;&nbsp;&nbsp; $NWBSM += 14431&nbsp;\n\n&nbsp;&nbsp;&nbsp; $NWBSM = $IGFABA_UFUGKAMKV&nbsp;( $NWBSM ,&nbsp;$JIQBD )&nbsp;\n\n&nbsp;&nbsp;&nbsp; $NWBSM = $RM_I2U_3RPS4_I5Y0IIHAZ1_6&nbsp;( $NWBSM ,&nbsp;65535 )&nbsp;\n\n&nbsp;&nbsp;&nbsp; $VAR_2745 &#091; $JIQBD ]&nbsp;= $IDBABKRDVSBFUNLRSLIOXWAD&nbsp;( $NWBSM )&nbsp;\n\n&nbsp; Next&nbsp;\n\n&nbsp; $VAR_2745 = $WWXHKDX&nbsp;( $VAR_2745 ,&nbsp;\"\" )&nbsp;\n\n&nbsp; Return $VAR_2745&nbsp;\n\nEndFunc\n<\/code>\n<\/pre>\n\n\n\n<p>Still, we&nbsp;are able to&nbsp;learn about&nbsp;the&nbsp;loaded&nbsp;modules and&nbsp;WinAPI&nbsp;wrappers:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/&nbsp;Some of the kernel32.dll module\u2019s wrappers\n\nFunc _WINAPI_ASSIGNPROCESSTOJOBOBJECT ( $HJOB , $HPROCESS ) \n\n  Local $ACALL = DllCall ( \"kernel32.dll\" , \"bool\" , \"AssignProcessToJobObject\" , \"handle\" , $HJOB , \"handle\" , $HPROCESS ) \n\n  If @error Then Return SetError ( @error , @extended , False ) \n\n  Return $ACALL &#091; 0 ] \n\nEndFunc \n\nFunc _WINAPI_ATTACHCONSOLE ( $IPID = + 4294967295 ) \n\n  Local $ACALL = DllCall ( \"kernel32.dll\" , \"bool\" , \"AttachConsole\" , \"dword\" , $IPID ) \n\n  If @error Then Return SetError ( @error , @extended , False ) \n\n  Return $ACALL &#091; 0 ] \n\nEndFunc \n\nFunc _WINAPI_ATTACHTHREADINPUT ( $IATTACH , $IATTACHTO , $BATTACH ) \n\n  Local $ACALL = DllCall ( \"user32.dll\" , \"bool\" , \"AttachThreadInput\" , \"dword\" , $IATTACH , \"dword\" , $IATTACHTO , \"bool\" , $BATTACH ) \n\n  If @error Then Return SetError ( @error , @extended , False ) \n\n  Return $ACALL &#091; 0 ] \n\nEndFunc \n\nFunc _WINAPI_CREATEEVENT ( $TATTRIBUTES = 0 , $BMANUALRESET = True , $BINITIALSTATE = True , $SNAME = \"\" ) \n\n  If $SNAME = \"\" Then $SNAME = Null \n\n  Local $ACALL = DllCall ( \"kernel32.dll\" , \"handle\" , \"CreateEventW\" , \"struct*\" , $TATTRIBUTES , \"bool\" , $BMANUALRESET , \"bool\" , $BINITIALSTATE , \"wstr\" , $SNAME ) \n\n  If @error Then Return SetError ( @error , @extended , 0 ) \n\n  Local $ILASTERROR = _WINAPI_GETLASTERROR ( ) \n\n  If $ILASTERROR Then Return SetExtended ( $ILASTERROR , 0 ) \n\n  Return $ACALL &#091; 0 ] \n\nEndFunc \n\nFunc _WINAPI_CREATEJOBOBJECT ( $SNAME = \"\" , $TSECURITY = 0 ) \n\n  If Not StringStripWS ( $SNAME , $STR_STRIPLEADING + $STR_STRIPTRAILING ) Then $SNAME = Null \n\n  Local $ACALL = DllCall ( \"kernel32.dll\" , \"handle\" , \"CreateJobObjectW\" , \"struct*\" , $TSECURITY , \"wstr\" , $SNAME ) \n\n  If @error Then Return SetError ( @error , @extended , 0 ) \n\n  Return $ACALL &#091; 0 ] \n\nEndFunc \n\nFunc _WINAPI_CREATEMUTEX ( $SMUTEX , $BINITIAL = True , $TSECURITY = 0 ) \n\n  Local $ACALL = DllCall ( \"kernel32.dll\" , \"handle\" , \"CreateMutexW\" , \"struct*\" , $TSECURITY , \"bool\" , $BINITIAL , \"wstr\" , $SMUTEX ) \n\n  If @error Then Return SetError ( @error , @extended , 0 ) \n\n  Return $ACALL &#091; 0 ] \n\nEndFunc <\/code><\/pre>\n\n\n\n<p>Several&nbsp;WinAPI&nbsp;wrappers&nbsp;may potentially&nbsp;participate&nbsp;in attacks for further system&nbsp;infection, because&nbsp;it\u2019s&nbsp;the&nbsp;Autolt&nbsp;scrip&nbsp;that&nbsp;prepares the&nbsp;environment&nbsp;and&nbsp;control&nbsp;handover.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Key function calls<\/strong>&nbsp;<\/h3>\n\n\n\n<p>This&nbsp;combination of functions looks suspicious and hints at cross-process manipulations:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kernel32.GetProcAddress&nbsp;\u2014&nbsp;Dynamic function resolution&nbsp;\n\nkernel32.CreateFileW&nbsp;\u2014&nbsp;Working with files&nbsp;\n\nkernel32.CreateProcessW&nbsp;\u2014&nbsp;Creating processes&nbsp;\n\nkernel32.CreateMutextW&nbsp;\u2014&nbsp;Creating mutexes&nbsp;\n\nkernel32.OpenProcess&nbsp;\u2014&nbsp;Opening process&nbsp;descriptors&nbsp;\n\nkernerl32.ReadProcessMemory&nbsp;\u2014&nbsp;Reading the memory of other processes&nbsp;\n\nkernerl32.DuplicateTokenEx&nbsp;\u2014&nbsp;Duplicating security tokens&nbsp;\n\nkernelbased.AdjustTokenPriviliges&nbsp;\u2014&nbsp;Manipulating&nbsp;the privileges&nbsp;\n\nkernel32.WriteFile&nbsp;\u2014&nbsp;Writing into files<\/code><\/pre>\n\n\n\n<p>Since full-scale&nbsp;deobfuscation&nbsp;would take up too much time,&nbsp;let\u2019s&nbsp;switch to dynamic analysis for now.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Dynamic&nbsp;Analysis: Tracing Execution<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s&nbsp;launch&nbsp;<strong>Autolt3.exe<\/strong>&nbsp;in&nbsp;<strong>x32dbg&nbsp;<\/strong>with breakpoints at functions that&nbsp;we\u2019ve&nbsp;listed above, with the compiled script&nbsp;<strong>freely.a3x&nbsp;<\/strong>as a parameter.&nbsp;<\/p>\n\n\n\n<p>Soon after the initialization of&nbsp;<strong>Autolt3.exe<\/strong>, we see a&nbsp;<strong>kernel32.CreateProcessW<\/strong>&nbsp;call, where&nbsp;<strong>jsc.exe<\/strong>, the final link of our chain, is&nbsp;located.&nbsp;<\/p>\n\n\n\n<p>Note: this is a JScript.NET compilator, a part of&nbsp;an older&nbsp;.NET Framework.&nbsp;What\u2019s&nbsp;unusual&nbsp;is that no extra data is transmitted&nbsp;to&nbsp;lpCommanLine.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"462\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-1024x462.png\" alt=\"\" class=\"wp-image-17683\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-1024x462.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-300x135.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-768x346.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-1536x693.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-370x167.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-270x122.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW-740x334.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/DbgCreateProcessW.png 1650w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A breakpoint at&nbsp;CreateProcessW&nbsp;function. A jsc.exe&nbsp;child&nbsp;process is created with CREATE_SUSPENDED flag&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Also,&nbsp;there\u2019s&nbsp;a&nbsp;<strong>CREATE_SUSPENDED<\/strong>&nbsp;flag in&nbsp;<strong>dwCreationFlags<\/strong>, which points&nbsp;to&nbsp;an&nbsp;uncommon&nbsp;use of&nbsp;<strong>jsc.exe<\/strong>. But how does it get the&nbsp;payload?&nbsp;<\/p>\n\n\n\n<p>The next&nbsp;string&nbsp;of calls reveals this:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kernel32.CreateProcessW&nbsp;<\/strong>creates&nbsp;the&nbsp;<strong>jsc.exe<\/strong>&nbsp;process flagged as&nbsp;<strong>CREATE_SUSPENDED.<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kernel32.GetThreadContext&nbsp;<\/strong>delivers registries&nbsp;\u2014&nbsp;the context&nbsp;of&nbsp;the main flow. This is typical for&nbsp;the&nbsp;preparation&nbsp;to&nbsp;<strong>process&nbsp;hollowing<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kernel32.VirtualAllocEX&nbsp;<\/strong>allocates&nbsp;a&nbsp;0x3B000-sized&nbsp;memory&nbsp;area&nbsp;in jsc.exe process with&nbsp;<strong>MEM_COMMIT&nbsp;|&nbsp;MEM_RESERVE&nbsp;<\/strong>flags&nbsp;and&nbsp;<strong>PAGE_EXECUTE_READWRITE<\/strong>&nbsp;protection. This allows you to place and launch any code.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"462\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-1024x462.png\" alt=\"\" class=\"wp-image-17638\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-1024x462.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-300x135.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-768x346.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-1536x693.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-370x167.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-270x122.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5-740x334.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image5.png 1650w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The&nbsp;memory&nbsp;area&nbsp;allocation&nbsp;in the child process&nbsp;with permission to launch (PAGE_EXECUTE_READWRITE)&nbsp;&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><br><p>To confirm&nbsp;this&nbsp;and extract the key module,&nbsp;let\u2019s&nbsp;keep&nbsp;tracing&nbsp;the malware. The next critical call is&nbsp;<strong>kernel32.WriteProcessMemory<\/strong>. Among its arguments is a&nbsp;pointer to a buffer&nbsp;with loaded data,&nbsp;featuring familiar<strong>&nbsp;PE Magic<\/strong>&nbsp;and&nbsp;<strong>DOS Stub<\/strong>&nbsp;signatures. This clearly means that a&nbsp;<strong>PE file<\/strong>&nbsp;is injected into&nbsp;the&nbsp;<strong>jsc.exe&nbsp;<\/strong>process.&nbsp;<\/p><\/p>\n\n\n\n<p>At this stage, we can safely dump a clean binary from the memory.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"506\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-1024x506.png\" alt=\"\" class=\"wp-image-17639\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-1024x506.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-1536x759.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-2048x1012.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image6-740x366.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A breakpoint at&nbsp;WriteProcessMemory. Malicious&nbsp;PE image&nbsp;is written into&nbsp;the&nbsp;allocated&nbsp;memory&nbsp;area&nbsp;&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The payload is revealed, but&nbsp;we continue&nbsp;unraveling&nbsp;the entire chain&nbsp;until the final call \u2014&nbsp;<strong>kernel32.ResumeThreat<\/strong>. This will&nbsp;help us make sure that&nbsp;the malware&nbsp;doesn\u2019t&nbsp;do anything extra,&nbsp;like&nbsp;embedding another hidden&nbsp;process,&nbsp;before the control&nbsp;handover.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The next&nbsp;critical&nbsp;step is the call of&nbsp;<strong>kernel32.ReadProcessMemory<\/strong>. At this stage,&nbsp;the&nbsp;threat&nbsp;obtains a&nbsp;pointer to the PEB (Process Environment Block) structure, from which&nbsp;it&nbsp;extracts&nbsp;a <strong>PEB.ImageBaseAddress&nbsp;<\/strong>(base load address). This address is further rewritten to the&nbsp;injected PE module.&nbsp;That\u2019s&nbsp;crucial for&nbsp;standard loading mechanisms of Windows, including early&nbsp;<strong>ntdll.LdrInintializeThunk<\/strong>&nbsp;initialization,&nbsp;as this allows for&nbsp;the correct processing of import tables,&nbsp;relocating, and restoring of the image\u2019s data.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"506\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-1024x506.png\" alt=\"\" class=\"wp-image-17640\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-1024x506.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-1536x759.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-2048x1012.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image7-740x366.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A breakpoint at&nbsp;ReadProcessMemory. Extraction of&nbsp;PEB.ImageBaseAddress&nbsp;of the&nbsp;child&nbsp;process&nbsp;to&nbsp;replace it&nbsp;with&nbsp;the&nbsp;base&nbsp;address of&nbsp;the injected PE&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><br><p>After this,&nbsp;<strong>kernel32.WriteProcessMemory<\/strong>&nbsp;is called, which completes the stage of replacing the base address in the&nbsp;<strong>PEB&nbsp;<\/strong>structure.&nbsp;<\/p><\/p>\n\n\n\n<p>Next,&nbsp;<strong>kernel32.SetThreadContext&nbsp;<\/strong>is invoked, almost&nbsp;finalizing&nbsp;the process hollowing. At this stage, the malware writes a pointer to the entry point&nbsp;of the injected module into the&nbsp;<strong>EAX&nbsp;<\/strong>register.&nbsp;<\/p>\n\n\n\n<p>After the call to&nbsp;<strong>kernel32.ResumeThread<\/strong>, control is&nbsp;handed over&nbsp;to&nbsp;<strong>ntdll.LdrInitializeThunk<\/strong>, which performs loader initialization and prepares the process execution environment.&nbsp;<\/p>\n\n\n\n<p>Once initialization is complete,&nbsp;<strong>ntdll.LdrInitializeThunk<\/strong>&nbsp;calls&nbsp;<strong>ntdll.NtContinue<\/strong>, restoring&nbsp;the execution context.&nbsp;<\/p>\n\n\n\n<p>As a result,&nbsp;the&nbsp;execution continues from the address stored in the&nbsp;<strong>EIP&nbsp;<\/strong>register. This is the beginning of the&nbsp;<strong>ntdll.RtlUserThreadStart&nbsp;<\/strong>procedure, which places the entry point from the&nbsp;<strong>EAX&nbsp;<\/strong>register onto the stack&nbsp;in accordance with&nbsp;the&nbsp;<strong>__stdcall&nbsp;<\/strong>calling&nbsp;convention&nbsp;and then&nbsp;hands over&nbsp;control to&nbsp;<strong>ntdll.__RtlUserThreadStart.<\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"506\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-1024x506.png\" alt=\"\" class=\"wp-image-17641\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-1024x506.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-1536x759.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-2048x1012.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image8-740x366.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A breakpoint at&nbsp;SetThreadContext, writing an&nbsp;EntryPoint&nbsp;of the injected module into EAX&nbsp;registry&nbsp;before renewing the flow&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Notably, this is not&nbsp;a&nbsp;common&nbsp;<strong>process&nbsp;hollowing<\/strong>. The regular method includes&nbsp;the extraction&nbsp;of the original memory&nbsp;area&nbsp;via&nbsp;<strong>NtUnmapViewOfSection<\/strong>. But in&nbsp;CastleLoader\u2019s&nbsp;case, the malware dismisses this step&nbsp;intentionally.&nbsp;<\/p>\n\n\n\n<p>To&nbsp;monitoring&nbsp;tools like<strong>&nbsp;System Informed<\/strong>, the process&nbsp;doesn&#8217;t&nbsp;look off.&nbsp;It\u2019s&nbsp;also not a part of an event chain known to&nbsp;<strong>EDR<\/strong>.&nbsp;<\/p>\n\n\n\n<p>This&nbsp;decreases&nbsp;the&nbsp;probability&nbsp;of detection&nbsp;without&nbsp;disrupting&nbsp;the&nbsp;processing of all tables and structures,&nbsp;ensuring&nbsp;normal&nbsp;functioning&nbsp;of the injected module.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Preliminary&nbsp;Results&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Inno Setup as a Delivery Container<\/h3>\n\n\n\n<p>The original&nbsp;<strong>Inno Setup<\/strong>&nbsp;installer turned out to be a container&nbsp;with&nbsp;a set of auxiliary files, among which the&nbsp;<strong>AutoIt3.exe + freely.a3x&nbsp;<\/strong>combination played a key role. We were able to extract and partially decompile the&nbsp;<strong>AutoIt&nbsp;script<\/strong>; however, most of its logic was heavily obfuscated and consisted of&nbsp;numerous&nbsp;wrappers around the&nbsp;<strong>WinAPI<\/strong>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AutoIt Script and Process Hollowing via jsc.exe<\/h3>\n\n\n\n<p>Static analysis showed that the script prepares the environment and launches the next stage, while dynamic analysis confirmed that after&nbsp;<strong>jsc.exe<\/strong>&nbsp;is started, one of the<strong>&nbsp;process&nbsp;hollowing&nbsp;<\/strong>techniques is executed: another executable module is injected into the process\u2019s address space.&nbsp;<\/p>\n\n\n\n<p>As a result,&nbsp;we discovered&nbsp;a fully functional&nbsp;<strong>PE file&nbsp;<\/strong>\u2014 the main&nbsp;<strong>CastleLoader<\/strong>&nbsp;module&nbsp;\u2014&nbsp;&nbsp;inside&nbsp;the process and successfully dumped&nbsp;it&nbsp;for further analysis.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Evasion Through Multi-Stage Execution<\/h3>\n\n\n\n<p>Such a sophisticated multi-stage execution chain was not implemented merely to complicate analysis, but specifically as an attempt&nbsp;<strong>to conceal the execution of the main payload&nbsp;<\/strong>from detection mechanisms.&nbsp;Using<strong>&nbsp;Inno Setup<\/strong>&nbsp;as a container, an&nbsp;<strong>AutoIt&nbsp;<\/strong>script as an intermediate layer, and process hollowing&nbsp;over<strong>&nbsp;jsc.exe,<\/strong>&nbsp;allows&nbsp;CastleLoader&nbsp;to distribute&nbsp;across several components that&nbsp;appearbenign at first glance.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Post-Execution Artifacts on Disk<\/h3>\n\n\n\n<p>After the loader completes its execution, the files extracted by the<strong>&nbsp;Inno Setup&nbsp;<\/strong>installer remain on&nbsp;the disk. This may either be a deliberate attempt to mimic the normal behavior of legitimate software, which often leaves installation artifacts behind, or simply an implementation flaw. Given the relative novelty of the malware family,&nbsp;it\u2019s&nbsp;probably the&nbsp;latter.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Impact on Detection Mechanisms<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Static&nbsp;signatures, simple behavioral heuristics, and process monitoring systems become ineffective&nbsp;&nbsp;<\/p>\n<\/blockquote>\n\n\n\n<p>This execution model reduces the likelihood of detection, as&nbsp;each individual stage appears legitimate,&nbsp;and&nbsp;the final payload only manifests in memory after the controlled process has been altered. As a result, static signatures, simple behavioral heuristics, and process&nbsp;monitoring&nbsp;systems become ineffective.&nbsp;A&nbsp;fully functional malicious module exists only at runtime, and only within an already&nbsp;modified process.&nbsp;y manifests in memory after the controlled process has been altered. As a result, static signatures, simple behavioral heuristics, and process&nbsp;monitoring&nbsp;systems become ineffective.&nbsp;A&nbsp;fully functional malicious module exists only at runtime, and only within an already&nbsp;modified process.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDynamic analysis from ANY.RUN:<br>Boost DR by <span class=\"highlight\">36%<\/span>, cut MTTR by <span class=\"highlight\">21 minutes<\/span> \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=castleloader_analysis&#038;utm_term=130126&#038;utm_content=contactus#contact-sales\" target=\"_blank\" rel=\"noopener\">\nContact for demo\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Going&nbsp;Back to&nbsp;Static&nbsp;Analysis&nbsp;<\/h2>\n\n\n\n<p>After uploading&nbsp;the&nbsp;memory dump to&nbsp;<strong>Ghidra<\/strong>,&nbsp;let\u2019s&nbsp;start the analysis of its execution&nbsp;context. Right after opening the&nbsp;dump&nbsp;we see a&nbsp;<strong>kernel32.MessageBoxW&nbsp;<\/strong>call,&nbsp;which displays a fake error message: &#8220;System Error.&nbsp;The program&nbsp;can&#8217;t&nbsp;start because VCRUNTIME140.dll is missing from your computer. Try reinstalling the program to fix this problem.&#8221;&nbsp;<\/p>\n\n\n\n<p>After that, the execution of malicious code continues.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView-1024x566.png\" alt=\"\" class=\"wp-image-17685\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraFisrtView.png 1098w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>WinMain&nbsp;entry point&nbsp;in&nbsp;Ghidra&nbsp;decompilator. Early analysis of the malicious code\u2019s structure&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>During the analysis,&nbsp;we can see functions with&nbsp;unclear&nbsp;values. By studying their references, we see that they are actively called throughout the program\u2019s execution.&nbsp;<\/p>\n\n\n\n<p>In&nbsp;<strong>FUN_00e469f0<\/strong>, the first argument of the function is a&nbsp;pointer&nbsp;to the start of&nbsp;the&nbsp;<strong>PE&nbsp;module<\/strong>.&nbsp;At first, the value is&nbsp;dereferenced&nbsp;and checked for a DOS heading 0x5A4D (\u201cMZ\u201d).&nbsp;This is followed by&nbsp;<strong>NT&nbsp;<\/strong>heading\u2019s&nbsp;validation&nbsp;and decomposition of PE\u2019s key structures.&nbsp;<\/p>\n\n\n\n<p>The function manually gets access to&nbsp;the&nbsp;export table, allowing for a rewrite of the basic module address (IMAGE_DOC_HEADER*).&nbsp;Then each exported&nbsp;character&nbsp;goes through&nbsp;an embedded&nbsp;hash function, while the calculated hash is compared to the&nbsp;initial&nbsp;value.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"507\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash-1024x507.png\" alt=\"\" class=\"wp-image-17686\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash-1024x507.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash-300x149.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash-768x381.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash-270x134.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash-740x367.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetProcAddressByHash.png 1098w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>GetProcAddressByHash&nbsp;function, dynamic resolution of API addresses by hash&nbsp;names&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Since we now know the origin of each digest and&nbsp;the way&nbsp;the function resolves the required&nbsp;<strong>API<\/strong>s by hash, we can gather a set of potentially used network functions, run them through the hashing algorithm, and generate an enumeration (<strong>enum<\/strong>) for&nbsp;<strong>Ghidra<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Using&nbsp;the&nbsp;script, we automatically&nbsp;replaced&nbsp;all hashes with their corresponding function names \u2014 the result can be seen in the<strong>&nbsp;Equates Table<\/strong>.&nbsp;Each hash is now&nbsp;tied with a readable&nbsp;<strong>API&nbsp;<\/strong>name, along with the number of cross-references to it.&nbsp;<\/p>\n\n\n\n<p>This also makes it easy to track all&nbsp;calls of these functions via the&nbsp;<strong>References&nbsp;<\/strong>section, where&nbsp;for&nbsp;each usage&nbsp;point&nbsp;there\u2019s&nbsp;a reference to the corresponding&nbsp;<strong>API&nbsp;<\/strong>address.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"436\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb-1024x436.png\" alt=\"\" class=\"wp-image-17644\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb-1024x436.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb-300x128.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb-768x327.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb-370x157.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb-270x115.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb-740x315.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/imageb.png 1182w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Equates table. Correlation of hashes with names of imported&nbsp;WinAPI&nbsp;functions&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After generating the&nbsp;enum&nbsp;and substituting&nbsp;<strong>API&nbsp;<\/strong>names in the&nbsp;<strong>Equates Table<\/strong>, we&nbsp;see&nbsp;that the binary uses&nbsp;<strong>WINHTTP.WinHttpOpen<\/strong>.&nbsp;Cross-references to the corresponding hash&nbsp;prove that. We annotated&nbsp;a function&nbsp;with&nbsp;this call&nbsp;to make it easier to follow the logic. Then, by examining the cross-references to this function, we&nbsp;can&nbsp;move to its caller \u2014 the point where the&nbsp;<strong>HTTP session&nbsp;<\/strong>setup begins.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"449\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession-1024x449.png\" alt=\"\" class=\"wp-image-17687\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession-1024x449.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession-300x131.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession-768x336.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession-370x162.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession-270x118.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession-740x324.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraInitSession.png 1098w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>InitSession&nbsp;function \u2013 calling for&nbsp;WinHttpOpen&nbsp;for the&nbsp;initialization&nbsp;of a HTTP session&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>While examining the\u00a0<strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\">HTTP\u00a0connection\u2019s<\/a><\/strong>\u00a0initialization stage, we\u00a0identified\u00a0a function that returns a pointer to\u00a0the\u00a0data structure used as the\u00a0initial\u00a0configuration for the network logic. The format of this structure\u00a0isn&#8217;t\u00a0clear;\u00a0but\u00a0the fact that\u00a0it\u2019s\u00a0there\u00a0suggests the presence of a dedicated\u00a0procedure\u00a0responsible for creating and populating the configuration structure.\u00a0<\/p>\n\n\n\n<p>We annotated several references around the returned pointer and&nbsp;proceeded&nbsp;to analyze the function that&nbsp;forms the&nbsp;configuration structure.&nbsp;This is done to restore its components&nbsp;and understand which parameters are used&nbsp;for network connection.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"347\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig-1024x347.png\" alt=\"\" class=\"wp-image-17689\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig-1024x347.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig-300x102.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig-768x260.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig-370x125.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig-270x91.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig-740x251.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraGetMalwareConfig.png 1098w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>GetMalwareConfig&nbsp;calling and configuration handover to&nbsp;InitSession&nbsp;for the establishment of the connection&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Several nested functions lead us to a large-scale procedure, during which the configuration data&nbsp;is&nbsp;prepared.&nbsp;Its values&nbsp;aren\u2019t&nbsp;static&nbsp;strings, but a mass of encrypted bytes packaged into&nbsp;<strong>DWORD<\/strong>s with two&nbsp;<strong>UTF-16LE<\/strong>&nbsp;characters&nbsp;and placed&nbsp;right&nbsp;on the stack. This data is postprocessed with a simple&nbsp;bit-by-bit&nbsp;transformation into string buffers.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"452\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor-1024x452.png\" alt=\"\" class=\"wp-image-17690\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor-1024x452.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor-300x133.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor-768x339.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor-370x163.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor-270x119.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor-740x327.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/GhidraXor.png 1098w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A function for getting&nbsp;the&nbsp;configuration \u2014 XOR decoding of configuration strings with a cyclic key at the stack&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The temporary buffers are then passed to&nbsp;<strong>UniStr::Copy<\/strong>&nbsp;and&nbsp;pasted&nbsp;into fixed global addresses.&nbsp;All of&nbsp;these addresses are laid out sequentially in&nbsp;<strong>.data<\/strong>&nbsp;sections, effectively forming a single contiguous configuration block.&nbsp;<\/p>\n\n\n\n<p>At the end, the function returns the address of the first element (<strong>0xE67830<\/strong>), allowing the entire data set to be used as an array or a structure with fixed offsets.&nbsp;<\/p>\n\n\n\n<p><strong>An example of a decryption&nbsp;algorithm<\/strong>&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>input&#091;8] = 0x67;&nbsp;\n\ninput&#091;9] = 0x4a;&nbsp;\n\ninput&#091;10] = 0xda;&nbsp;\n\ninput&#091;0xb] = 0xb6;&nbsp;\n\nstep = 0;&nbsp;\n\ninput&#091;0xc] = 99;&nbsp;\n\ninput&#091;0xd] = 0x7d;&nbsp;\n\ninput&#091;0xe] = 0xa0;&nbsp;\n\ninput&#091;0xf] = 0xe4;&nbsp;\n\ninput&#091;0x10] = 0x31;&nbsp;\n\ninput&#091;0x11] = 0x62;&nbsp;\n\ninput&#091;0x12] = 0x87;&nbsp;\n\ninput&#091;0x13] = 0xa7;&nbsp;\n\ninput&#091;0x14] = 0x62;&nbsp;\n\ninput&#091;0x15] = 0x49;&nbsp;\n\ninput&#091;0x16] = 0x98;&nbsp;\n\ninput&#091;0x17] = 0x98;&nbsp;\n\ninput&#091;0x18] = 0x6c;&nbsp;\n\ninput&#091;0x19] = 0x6d;&nbsp;\n\ninput&#091;0x1a] = 0xbf;&nbsp;\n\ninput&#091;0x1b] = 0xaa;&nbsp;\n\ninput&#091;0x1c] = 0;&nbsp;\n\ndo {&nbsp;\n\n&nbsp;&nbsp;output&#091;step + 8] = (ushort)(byte)(&amp;key)&#091;step &amp; 3] ^&nbsp;input&#091;step + 8];&nbsp;\n\n&nbsp;&nbsp;output&#091;step + 9] = (ushort)(byte)(&amp;key)&#091;step + 1 &amp; 3] ^&nbsp;input&#091;step + 9];&nbsp;\n\n&nbsp;&nbsp;output&#091;step + 10] = (ushort)(byte)(&amp;key)&#091;step + 2 &amp; 3] ^&nbsp;input&#091;step + 10];&nbsp;\n\n&nbsp; step = step + 3;&nbsp;\n\n} while (step &lt; 0x15);&nbsp;\n\nUniStr::Copy(&amp;DAT_00e67848,(short&nbsp;*)(output + 8));&nbsp;\n\n\/\/&nbsp;In this fragment,&nbsp;there\u2019s&nbsp;a small static block of data (byte array)&nbsp;formed.&nbsp;\n\n\/\/&nbsp;Then,&nbsp;bit-by-bit,&nbsp;it\u2019s&nbsp;decrypted&nbsp;by undergoing XOR operation with a cyclic one-table key.&nbsp;\n\n\/\/&nbsp;Decrypted bytes are extended to UTF-16LE characters and written into an exit buffer, which is then&nbsp;pasted into&nbsp;the global memory region&nbsp;\n\n\/\/&nbsp;via&nbsp;UniStr::Copy.&nbsp;\n\n\/\/&nbsp;Basically,&nbsp;this&nbsp;is a simple custom decryption of strings using fixed bytes arrays and cyclic XOR&nbsp;masking by&nbsp;index with transformation to Unicode.<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Building a&nbsp;Custom&nbsp;Parser&nbsp;<\/h2>\n\n\n\n<p>After manually decrypting several strings, we realized that the process could be automated. The extraction logic used by&nbsp;<strong>CastleLoader&nbsp;<\/strong>is&nbsp;known:&nbsp;it has a single&nbsp;<strong>UTF-16LE DWORD&nbsp;<\/strong>pattern, loop construct, and fixed&nbsp;addresses,&nbsp;from which the&nbsp;<strong>XOR&nbsp;<\/strong>bytes are taken.&nbsp;That\u2019s&nbsp;enough to&nbsp;identify&nbsp;the repeating code fragments and write a Python script that extracts all strings from the dump in a single pass.&nbsp;<\/p>\n\n\n\n<p><strong>Parser\u2019s results<\/strong>&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>E32E6D: %s\/settings\/%s&nbsp;&nbsp;\n\nE33F4C:&nbsp;windows_version&nbsp;&nbsp;\n\nE3417F:&nbsp;machine_id&nbsp;&nbsp;\n\nE33D70:&nbsp;access_key&nbsp;&nbsp;\n\nE35E40: %s\/tasks\/complete\/id\/%lu&nbsp;&nbsp;\n\nE37732:&nbsp;http:\/\/94&#091;.]159&#091;.]113&#091;.]32\/service&nbsp;(C2)&nbsp;&nbsp;\n\nE377D2: gM7dczM61ejubNuJljRx (UserAgent)&nbsp;&nbsp;\n\nE378A8: N3sBJNQKOyBSqzOgQSQVf9 (Mutex)&nbsp;&nbsp;\n\nE3F4E9: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)&nbsp;AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36<\/code><\/pre>\n\n\n\n<p>&#8230; and so on.&nbsp;<\/p>\n\n\n\n<p>The analysis of the configuration function was the right call. We ended up with the entire&nbsp;strings&nbsp;array used by&nbsp;<strong>CastleLoader<\/strong>. As a result, we&nbsp;get&nbsp;the&nbsp;<a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/tree\/main\/Extractors\/CastleLoader\" target=\"_blank\" rel=\"noreferrer noopener\">published&nbsp;script<\/a>.&nbsp;<\/p>\n\n\n\n<p>Most&nbsp;importantly,&nbsp;the resulting strings&nbsp;feature the very&nbsp;<strong>C2 address&nbsp;<\/strong>which we saw in the sandbox analysis. Now&nbsp;it\u2019s&nbsp;extracted not as a secondary effect of network&nbsp;activity, but as a part of malware&nbsp;configuration. This&nbsp;decisively&nbsp;confirms its role and proves that retrieved&nbsp;<strong>IOCs&nbsp;<\/strong>are&nbsp;reliable&nbsp;for detection and analysis.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Observations&nbsp;<\/h2>\n\n\n\n<p>Since we wanted to&nbsp;demonstrate&nbsp;the entire analysis process from start to finish, we deliberately followed the&nbsp;extended&nbsp;analysis path, from&nbsp;coming up with&nbsp;hypotheses to testing&nbsp;and adjusting&nbsp;them. In practice, many of these stages could have been skipped.&nbsp;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>ANY.RUN&nbsp;<\/strong>provides sufficiently detailed telemetry to significantly shorten the analysis.&nbsp;<\/p>\n<\/blockquote>\n\n\n\n<p><strong>ANY.RUN&nbsp;<\/strong>provides sufficiently detailed telemetry to significantly shorten the analysis.&nbsp;For example,&nbsp;we&nbsp;didn\u2019t&nbsp;have&nbsp;to investigate the&nbsp;<strong>Inno Setup module<\/strong>, since the sample did not remove the extracted files afterwards.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect <span class=\"highlight\">any threat<\/span>\u00a0in under 60 seconds<br>\nIntegrate ANY.RUN\u2019s Sandbox in your SOC\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=castleloader_analysis&#038;utm_term=130126&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The final process could have been dumped&nbsp;immediately,&nbsp;too, to bypass&nbsp;the intermediate stages, as it was the only one that&nbsp;actually interacted&nbsp;with the network and generated traffic.&nbsp;<\/p>\n\n\n\n<p>Nevertheless, the<strong>\u00a0full walkthrough proved valuable<\/strong>: it allowed us to reconstruct the entire execution chain, understand the loader\u2019s internal logic, and verify that the extracted data\u00a0really indicates CastleLoader\u2019s\u00a0presence.\u00a0This approach\u00a0gave us\u00a0not only\u00a0the\u00a0final set of IOCs, but also an understanding of the mechanisms behind them.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions trusted by security teams worldwide. The platform combines&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">real-time sandboxing<\/a>&nbsp;with a comprehensive intelligence ecosystem, including&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>,&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, and public malware submissions.&nbsp;<\/p>\n\n\n\n<p>More than 500,000 security analysts and 15,000 organizations rely on ANY.RUN to accelerate investigations, validate TTPs, collect fresh IOCs, and track emerging threats through live, behavior-driven analysis.&nbsp;<\/p>\n\n\n\n<p>By giving defenders an interactive, second-by-second view of malware execution, ANY.RUN enables faster detection, better-informed decisions, and a stronger overall security posture.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=castleloader_analysis&amp;utm_term=130126&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Discover how ANY.RUN can enhance your SOC \u2014 start your 14-day trial today.<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs\u00a0<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Analyzed Files<\/strong>&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-267\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"4\"\n           data-wpID=\"267\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Name\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        8b7c1657f4d5cf0cc82d68c1f1a385adf0de27d46fc544bba249698e6b427856.exe\u00a0(Inno Setup Installer)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9A0960C674378A049B8D9AD0E1C641C3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0580A364AB986B051398A78D089300CF73481E70\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        8B7C1657F4D5CF0CC82D68C1F1A385ADF0DE27D46FC544BBA249698E6B427856\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        freely.a3x\u00a0(AutoIt\u00a0Script)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        AFBABA49796528C053938E0397F238FF\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DD029CD4711C773F87377D45A005C8D9785281A3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        FDDC186F3E5E14B2B8E68DDBD18B2BDA41D38A70417A38E67281EB7995E24BAC\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        payload.exe\u00a0(CastleLoader\u00a0Core Module)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1E0F94E8EC83C1879CCD25FEC59098F1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9E11E8866F40E5E9C20B1F012D0B68E0D56E85B3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DFAF277D54C1B1CF5A3AF80783ED878CAC152FF2C52DBF17FB05A7795FE29E79\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-267'>\ntable#wpdtSimpleTable-267{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-267 td, table.wpdtSimpleTable267 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Network Indicators<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>C2 Server<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>94[.]159[.]113[.]32&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>HTTP Request<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>http:\/\/94[.]159[.]113[.]32\/service&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Mutex<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>N3sBJNQKOyBSqzOgQSQVf9&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>User-Agents<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gM7dczM61ejubNuJljRx&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mozilla\/5.0 (Windows NT 10.0; Win64; x64)&nbsp;AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>YARA Rules<\/strong>&nbsp;<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>rule&nbsp;CastleLoader&nbsp;{&nbsp;\n\n&nbsp;&nbsp;&nbsp; meta:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = \"ANY.RUN\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; date = \"2025-12-02\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = \"Identifies&nbsp;CastleLoader&nbsp;malware samples\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; threat = \"CastleLoader\"&nbsp;\n\n&nbsp;&nbsp;&nbsp; strings:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p1 =&nbsp;{ 44&nbsp;a0 2d&nbsp;39 }&nbsp;\/\/CreateMutexW&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p2 =&nbsp;{ 82&nbsp;06 d7 4e }&nbsp;\/\/WinHttpOpen&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p3 =&nbsp;{ 81&nbsp;03 08 6f }&nbsp;\/\/WinHttpConnect&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p4 =&nbsp;{ 18&nbsp;7b d4 2e }&nbsp;\/\/WinHttpOpenRequest&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p5 =&nbsp;{ e4 f4 96&nbsp;33 }&nbsp;\/\/WinHttpReceiveResponse&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p6 =&nbsp;{ d8 da 54&nbsp;96 }&nbsp;\/\/ShellExecuteW&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p7 =&nbsp;{ 5f 9e 43&nbsp;16 }&nbsp;\/\/GetUserNameW&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $p8 =&nbsp;{ b4 89 86 1b }&nbsp;\/\/GetComputerNameW&nbsp;\n\ncondition:&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;all of&nbsp;($p*)&nbsp;\n\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>MITRE ATT&amp;CK Techniques<\/strong>&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-268\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"8\"\n           data-wpID=\"268\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Tactic\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Technique\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0002: Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.010:\u00a0AutoHotKey\u00a0&\u00a0AutoIT\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Execution via\u00a0AutoIt\u00a0script (freely.a3x)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0005: Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027.002: Software Packing\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Multi-stage: Inno Setup \u2192\u00a0AutoIt\u00a0\u2192 PE injection\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1055.012: Process Hollowing\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Process hollowing into jsc.exe\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1106: Native API\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        API resolution via hash-based\u00a0GetProcAddress\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1140: Deobfuscate\/Decode Files or Information\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Runtime XOR-decoding of configuration strings (C2, User-Agent, Mutex); obfuscated\u00a0AutoIt\u00a0script\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0007: Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082: System Information Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collects\u00a0computer_name,\u00a0windows_version,\u00a0machine_id\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0011: Command and Control\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071.001: Web Protocols\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        HTTP communication to 94[.]159[.]113[.]32:80\/service\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-268'>\ntable#wpdtSimpleTable-268{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-268 td, table.wpdtSimpleTable268 th { white-space: normal !important; }\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>ANY.RUN\u2019s team conducted an extensive malware analysis of CastleLoader, the first link in the chain of attacks impacting various industries, including government agencies and critical infrastructures. It&#8217;s a unique walkthrough of its entire execution path, from a packaged installer to C2 server connection, as well as an overview of a parser developed to extract initialized [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":17659,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-17626","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CastleLoader\u00a0Malware Analysis: Full Execution Breakdown\u00a0<\/title>\n<meta name=\"description\" content=\"Read\u00a0full-cycle technical analysis of\u00a0CastleLoader\u00a0malware,\u00a0covering its entire multi-stage execution by ANY.RUN.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"nevergiveupcpp\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/\"},\"author\":{\"name\":\"nevergiveupcpp\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"CastleLoader Analysis: A Deep Dive into Stealthy Loader\u00a0Targeting\u00a0Government Sector\",\"datePublished\":\"2026-01-13T08:23:58+00:00\",\"dateModified\":\"2026-01-13T13:52:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/\"},\"wordCount\":3808,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/\",\"name\":\"CastleLoader\u00a0Malware Analysis: Full Execution Breakdown\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-01-13T08:23:58+00:00\",\"dateModified\":\"2026-01-13T13:52:53+00:00\",\"description\":\"Read\u00a0full-cycle technical analysis of\u00a0CastleLoader\u00a0malware,\u00a0covering its entire multi-stage execution by ANY.RUN.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CastleLoader Analysis: A Deep Dive into Stealthy Loader\u00a0Targeting\u00a0Government Sector\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"nevergiveupcpp\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/photo_author_2.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/photo_author_2.jpg\",\"caption\":\"nevergiveupcpp\"},\"description\":\"A reverse engineering and C\/C++ development enthusiast with a focus on malware analysis, vulnerability research in binaries and systems, and the development of low-level libraries. Actively participates in CTF competitions and develops proof-of-concepts to study and explore advanced techniques. Follow nevergiveupcpp on: Github X Discord\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CastleLoader\u00a0Malware Analysis: Full Execution Breakdown\u00a0","description":"Read\u00a0full-cycle technical analysis of\u00a0CastleLoader\u00a0malware,\u00a0covering its entire multi-stage execution by ANY.RUN.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/","twitter_misc":{"Written by":"nevergiveupcpp","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/"},"author":{"name":"nevergiveupcpp","@id":"https:\/\/any.run\/"},"headline":"CastleLoader Analysis: A Deep Dive into Stealthy Loader\u00a0Targeting\u00a0Government Sector","datePublished":"2026-01-13T08:23:58+00:00","dateModified":"2026-01-13T13:52:53+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/"},"wordCount":3808,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/","name":"CastleLoader\u00a0Malware Analysis: Full Execution Breakdown\u00a0","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-01-13T08:23:58+00:00","dateModified":"2026-01-13T13:52:53+00:00","description":"Read\u00a0full-cycle technical analysis of\u00a0CastleLoader\u00a0malware,\u00a0covering its entire multi-stage execution by ANY.RUN.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/castleloader-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"CastleLoader Analysis: A Deep Dive into Stealthy Loader\u00a0Targeting\u00a0Government Sector"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"nevergiveupcpp","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/photo_author_2.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/photo_author_2.jpg","caption":"nevergiveupcpp"},"description":"A reverse engineering and C\/C++ development enthusiast with a focus on malware analysis, vulnerability research in binaries and systems, and the development of low-level libraries. Actively participates in CTF competitions and develops proof-of-concepts to study and explore advanced techniques. Follow nevergiveupcpp on: Github X Discord","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17626"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=17626"}],"version-history":[{"count":48,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17626\/revisions"}],"predecessor-version":[{"id":17712,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17626\/revisions\/17712"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/17659"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=17626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=17626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=17626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}