Back to Intelligence

CastleLoader RAT, TDS Malware Distribution, and Operation GriefLure: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 6, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated credential harvesting, malware distribution ecosystems, and targeted APT activity.

  1. ClickFix & CastleLoader: A widespread phishing campaign abuses trust in recruitment platforms (LinkedIn/Indeed) via typosquatting and Google Ads. Attackers utilize "Fake CAPTCHA" pages to trick users into executing a command chain involving the legacy Windows Finger protocol, deploying a portable Python-based RAT (CastleLoader).

  2. Traffic Distribution System (TDS): A massive operation impersonates open-source tools (Ghidra, dnSpy) to hijack search traffic. This infrastructure uses CloudFront to obfusc JavaScript that redirects victims to a TDS, distributing SessionGate, RemusStealer, and AnimateClipper.

  3. Operation GriefLure: A highly targeted APT campaign focuses on Vietnam's military telecommunications (Viettel) and Philippine healthcare. Threat actors weaponize legitimate legal documents and fabricated whistleblower complaints to deliver custom payloads (sfsvc.exe, 360.dll).

Collective Objective: Financial theft (crypto clippers), espionage (telecom/healthcare), and long-term persistence via living-off-the-land (LOLBin) techniques.

Threat Actor / Malware Profile

Malware / ActorDistribution MethodPayload BehaviorC2 & PersistenceAnti-Analysis
CastleLoaderTyposquatted job domains; Google Ads; Fake CAPTCHA; PowerShellDownloads portable Python (CPython/IronPython) to execute RAT filelesslyUnknown C2 (investigate domains: teamsvoicehub.com); Uses LOLBins for executionFileless execution via memory-resident Python;
Legacy protocol usage (finger.exe) to evade modern heuristics
RemusStealer / SessionGateSEO Poisoning; Malware TDS; Impersonated freeware sitesStealer (session cookies/crypto clippers); Clipboard manipulationConnects to TDS gateways (IPs: 194.150.220.218); HTTP/HTTPS C2CloudFront frontend; Anti-bot checks on TDS landing pages
Operation GriefLureSpear Phishing; Weaponized DOCX attachmentsCustom payloads (sfsvc.exe, 360.dll); Likely espionage toolsPersistence via Windows Service mechanisms (sfsvc.exe implies service); Living-off-the-land binariesUses legitimate-themed filenames; obfuscated document macros

IOC Analysis

The provided indicators span multiple infrastructure types:

  • Domains (Typosquatting & TDS): teamsvoicehub.com, guiformat.com, forestoaker.com. Action: Immediate blocking on DNS firewalls/proxies. Note that guiformat.com is a typosquat of the legitimate GUIFormat tool.
  • IP Addresses: 194.150.220.218, 217.156.122.75. Action: Block inbound/outbound connectivity. Correlate with DeviceNetworkEvents for successful connections.
  • File Hashes: SHA256 hashes for CastleLoader components and GriefLure payloads. Action: Add to EDR blocklists and hunt for historical presence on endpoints.
  • URLs: Direct download paths from TDS infrastructure. Action: Block URL categories; inspect SSL inspection logs for these specific paths.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix Attack - Suspicious Finger Execution
description: Detects the use of the legacy finger.exe utility, which is abused in ClickFix campaigns to download payloads.
status: experimental
date: 2026/06/06
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\finger.exe'
  condition: selection
fields:
  - CommandLine
  - ParentCommandLine
falsepositives:
  - Legitimate administration (rare in modern environments)
level: high
---
title: Portable Python Execution - CastleLoader Indicator
description: Detects execution of portable python binaries (python.exe or pythonw.exe) from suspicious directories or spawned by cmd/powershell.
status: experimental
date: 2026/06/06
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|contains:
      - '\python.exe'
      - '\pythonw.exe'
  selection_parent:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\mshta.exe'
  filter_legit:
    Image|contains:
      - '\Python39\'
      - '\Python310\'
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection_img and selection_parent and not filter_legit
falsepositives:
  - Developer workstations running scripts locally
level: medium
---
title: Suspicious Service Creation - GriefLure Pattern
description: Detects creation of services with suspicious names or binaries related to Operation GriefLure (sfsvc.exe).
status: experimental
date: 2026/06/06
author: Security Arsenal
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4697
    ServiceFileName|contains: 'sfsvc.exe'
  condition: selection
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known TDS and ClickFix infrastructure
let IOCs = dynamic(["teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "guiformat.com", "forestoaker.com", "194.150.220.218", "217.156.122.75"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc


kql
// Hunt for GriefLure File Hashes
let MalwareHashes = dynamic(["08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4", "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6", "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43"]);
DeviceFileEvents
| where SHA256 in (MalwareHashes)
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessAccountName, SHA256

PowerShell Hunt Script

PowerShell
# IOC Scanner for CastleLoader and GriefLure
# Requires Admin privileges for full system scan

$TargetHashes = @(
    "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",
    "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6",
    "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43"
)

$SuspiciousDomains = @(
    "teamsvoicehub.com",
    "guiformat.com",
    "forestoaker.com"
)

Write-Host "[+] Scanning for file indicators..." -ForegroundColor Cyan
# Scan common user directories for executables matching hashes
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\AppData", "C:\Temp")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.py, *.rtf | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $TargetHashes) {
                Write-Host "[!] MALWARE FOUND: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking DNS Cache for TDS/ClickFix domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($Domain in $SuspiciousDomains) {
    $Entries = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
    if ($Entries) {
        Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $Domain" -ForegroundColor Yellow
        $Entries | Format-List Entry, Data, Type
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block all listed IOCs (Domains and IPs) on perimeter firewalls and proxy servers.
    • Isolate any endpoints with hits on the provided SHA256 hashes.
    • Hunt for finger.exe execution logs in SIEM; treat as critical.
  • 24 Hours:
    • Credential reset for users who may have interacted with the "ClickFix" recruitment scams or downloaded the impersonated software (Ghidra/dnSpy).
    • Review outbound proxy logs for connections to the TDS IP ranges.
  • 1 Week:
    • Implement application control to block unsigned Python binaries from running outside of %ProgramFiles%.
    • Update awareness training to include "Fake CAPTCHA" and "Job Search Malware" scenarios.
    • Review email gateway rules for attachments containing legal documents targeting the Telecom and Healthcare sectors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptcastleloaderoperation-grieflureclickfixremusstealertraffic-distribution-system

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action