SIGS: CastleLoader/RAT

kevross33 · December 9, 2025, 9:50am

Hi,

At the end of this recordedfuture report is snort rules for CastleLoader and CastleRAT

rgonzalez · December 11, 2025, 4:07pm

Thanks @kevross33 , @kraghu has been combing through this report for signature food!

kraghu · December 12, 2025, 9:59pm

@kevross33
2066299 - ET MALWARE CastleLoader Malware Outbound Checkin (malware.rules)
Has been released, more to come soon!

kevross33 · December 15, 2025, 11:12am

There are signatures at the end in the appendix.

kraghu · December 17, 2025, 11:58pm

2066349 - ET MALWARE CastleLoader Malware Outbound Payload Request (malware.rules)
2066354 - ET MALWARE CastleLoader Malware Stager Outbound Payload Request (malware.rules)
2066355 - ET MALWARE CastleLoader Malware Inbound Command Retrieval via Finger Service (malware.rules)
2066356 - ET MALWARE CastleRAT Malware Outbound Handshake (malware.rules)

kraghu · December 19, 2025, 12:19am

Topic		Replies	Views
SIG: ET TROJAN Interlock.RansomGroup RAT Initial Callback Rule Signatures	1	107	April 22, 2025
SIGS: Zloader Rule Signatures	2	127	December 17, 2024
SIG: ET MALWARE Possible Mints.Loader GET Request Rule Signatures	2	58	April 29, 2025
Community Review - February 23, 2024 Announcements	0	137	February 23, 2024
Weekly Community Review - September 27, 2023 Announcements	0	351	October 2, 2023