[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3Gfl_uKuhCw3sIdwjDsSNSCIAsD2cTxwsyxkM0dudY4":3},{"article":4,"iocs":33},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":25},"46b03382-0e68-48b3-871c-792c4d0a7ab7","LinkedIn Search leads to #CastleLoader delivering #AsyncRAT. Attackers use Clickfix lures with fa...","linkedin-search-leads-to-castleloader-delivering-asyncrat-attackers-use-clickfix-b0bf3c","LinkedIn Search leads to #CastleLoader delivering #AsyncRAT. Attackers use Clickfix lures with fake verification popups to mask PowerShell activity. The loader decrypts the payload via RC4, using the first 64 bytes as a key to bypass filters. Details: https:\u002F\u002Ft.co\u002F0t5xZQFNgk https:\u002F\u002Ft.co\u002FwVOYDKffou","Attackers are leveraging LinkedIn Search results to distribute CastleLoader, a malware loader that delivers AsyncRAT remote access trojans. The campaign uses Clickfix social engineering tactics with counterfeit browser verification popups to disguise malicious PowerShell activity. CastleLoader employs RC4 encryption with the first 64 bytes of the payload as the decryption key to evade security filters.","CastleLoader malware delivers AsyncRAT via LinkedIn clickjacking lures with fake verification popups.",null,"https:\u002F\u002Fx.com\u002FUnit42_Intel\u002Fstatus\u002F2055399390387282242","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIY-zEDXoAAFhWq.jpg","2026-05-15T21:26:16+00:00","2026-05-15T22:00:07.546328+00:00",9,[18],{"name":19,"type":20},"Clickfix","campaign","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":21,"icon":11,"name":23,"slug":24},"Malware","malware",[26,28],{"category":27},{"id":21,"icon":11,"name":23,"slug":24},{"category":29},{"id":30,"icon":11,"name":31,"slug":32},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[34,37,40,44,47],{"type":24,"value":35,"context":36},"CastleLoader","Loader malware delivering AsyncRAT payloads",{"type":24,"value":38,"context":39},"AsyncRAT","Remote access trojan delivered by CastleLoader",{"type":41,"value":42,"context":43},"mitre_attack","T1566.002","Phishing: Spearphishing Link (LinkedIn-based distribution)",{"type":41,"value":45,"context":46},"T1036.005","Masquerading: Match Legitimate Name or Location (fake verification popups)",{"type":41,"value":48,"context":49},"T1140","Deobfuscation\u002FDecoding (RC4 decryption via key derivation)"]