The CASTLELOADER IOCs detect potential adversary activity involving the deployment of malicious payloads and command-and-control communication, indicative of a sophisticated multi-stage attack. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they escalate and compromise critical systems.
IOC Summary
Malware Family: CASTLELOADER Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | linkedmba.com | payload_delivery | 2026-06-06 | 100% |
| domain | allenjarmon.com | payload_delivery | 2026-06-06 | 100% |
| domain | writersfm.com | payload_delivery | 2026-06-06 | 100% |
| domain | crewlworkinew.com | payload_delivery | 2026-06-06 | 100% |
| domain | linkedwiz.com | payload_delivery | 2026-06-06 | 100% |
| domain | amazon-cz.com | payload_delivery | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - CASTLELOADER
let malicious_domains = dynamic(["linkedmba.com", "allenjarmon.com", "writersfm.com", "crewlworkinew.com", "linkedwiz.com", "amazon-cz.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job execution
Description: A system administrator schedules a legitimate job using crontab to run a script that includes a file with a hash matching one of the CASTLELOADER IOCs.
Filter/Exclusion: Exclude files with hashes present in known legitimate tools or scheduled job scripts using a file_hash filter, or check the process.name against known admin tools like crontab or at.
Scenario: Software update or patching process
Description: A security tool like OSSEC or Tripwire performs a system integrity check and generates a log file that matches one of the CASTLELOADER IOCs due to a false positive hash.
Filter/Exclusion: Exclude files with hashes associated with known security tools or system integrity checkers using a file_hash filter, or check the process.name for tools like ossec or tripwire.
Scenario: Legitimate PowerShell script execution
Description: A system administrator runs a PowerShell script using PowerShell.exe that includes a file with a hash matching one of the CASTLELOADER IOCs, such as a temporary log file or a script used for system monitoring.
Filter/Exclusion: Exclude files with hashes associated with PowerShell scripts or temporary files using a file_hash filter, or check the process.name for PowerShell.exe and verify the script’s legitimacy.
Scenario: Malware analysis or sandbox environment
Description: A security analyst is running a malware analysis in a sandbox environment, and the analysis tool (e.g., Cuckoo Sandbox) generates a file that matches one of the CASTLELOADER IOCs.
Filter/Exclusion: Exclude files with hashes associated with sandboxing tools or analysis environments using a file_hash filter, or