THREATNOIR
Subscribe
Back to Feed
MalwareMay 15, 2026

LinkedIn Search leads to #CastleLoader delivering #AsyncRAT. Attackers use Clickfix lures with fa...

CastleLoader malware delivers AsyncRAT via LinkedIn clickjacking lures with fake verification popups.

Read at source

Summary

Attackers are leveraging LinkedIn Search results to distribute CastleLoader, a malware loader that delivers AsyncRAT remote access trojans. The campaign uses Clickfix social engineering tactics with counterfeit browser verification popups to disguise malicious PowerShell activity. CastleLoader employs RC4 encryption with the first 64 bytes of the payload as the decryption key to evade security filters.

Indicators of Compromise

  • malware — CastleLoader
  • malware — AsyncRAT
  • mitre_attack — T1566.002
  • mitre_attack — T1036.005
  • mitre_attack — T1140

Entities

Clickfix (campaign)