RST TI Report Digest: 15 Dec 2025

GrayBravo (aka TAG-150) operates a sophisticated malware-as-a-service ecosystem—deploying CastleLoader, CastleBot, CastleRAT and related tools—using phishing lures, malvertising, fake software updates and typosquatting to target multiple industries (notably logistics and hospitality). Recorded Future identifies four distinct activity clusters with unique tactics (e.g., ClickFix technique), extensive IOCs (IPs, domains, URLs, hashes, emails), and possible operational overlap with other actors such as Sparja.