Blackpoint SOC Threat Pulse: Week of July 6, 2026
In this week’s Threat Pulse, the Blackpoint Security Operations Center (SOC) breaks down an incident where a user looking for game cheats downloaded a decoy tool that quietly deployed an information-stealing malware and a resource-hijacking application. The Adversary Pursuit Group also continues tracking a ClickFix-style campaign delivering the CastleLoader and CastleRAT malware, now linked to more than 60 incidents since May.
Featured Incident: Bloxed and Loaded
What we’re seeing
- The Blackpoint SOC received an alert after a program branding itself as a Roblox “script executor” (a tool commonly used to run cheats/mods) was downloaded and run by a user.
- The installer silently staged and executed additional payloads, one confirmed as an information-stealing malware (ARCStealer) and another as a resource-hijacking application (BOINC/Charity Engine) that uses the device’s processing power for a third party.
- A related credential-stealing payload was also downloaded but was blocked from executing before it could run.
What the Blackpoint SOC did
- The Blackpoint SOC isolated the device to prevent additional activity and confirmed no lateral movement or signs of persistence were present.
- Analyzed the malicious files to confirm what they were and how they behaved, distinguishing the decoy application from the actual stealer and resource-hijacking payloads.
Why this matters
- This incident shows how a single unauthorized download can lead to the deployment of malware, and highlights the value of rapid isolation in stopping that chain before it escalates further.

BROC Weekly Snapshot
What changed. What didn’t. What matters.
| Incidents Observed >80↓ | Pre-Payload Disruptions 84%↓ | Pre-Ransom Interruptions N/A |
Campaign Statuses
| Fake CAPTCHA/ClickFix | ‒ | Ongoing | 40% |
| SSL VPN Compromise | ↓ | Ongoing | 26% |
| Rogue RMM | ↑ | Ongoing | 6% |
| Trojanized Installers | ↓ | Monitoring | N/A |
Quick Take
The Blackpoint APG and SOC have been tracking a ClickFix campaign deploying the CastleLoader and CastleRAT malware; between 01 May and 02 July 2026, the Blackpoint SOC has identified more than 60 incidents very likely related to this campaign. CastleLoader is designed to bypass traditional antivirus tools, establish persistence, and load additional malware or tools. The Blackpoint SOC has interrupted 100% of these incidents prior to the attacker being able to complete their objective.
This campaign was first observed delivering a C-based and a Python-based variant of CastleLoader. However, the campaign has evolved again and has now been observed delivering the CastleRAT malware. These incidents have all included the use of finger.exe as the initial retrieval mechanism with the majority using caret (^) obfuscation on the command string.
This campaign has shown clear infrastructure rotation and has consistent evolution, likely in an attempt to evade detection. These attacks are often successful because they exploit deeply conditioned behavior, which includes completing verification steps without evaluating them. This campaign highlights why rapid detection and response at the endpoint level is critical, without it, these incidents could have led to full system compromise, stolen data, and/or the deployment of additional malware payloads.
Due to the widespread use of ClickFix as an initial access method, the Blackpoint SOC has identified several different malware variants as part of these incidents. The Blackpoint SOC has interrupted more than 75% of these incidents before any payload could be delivered and 100% of these before the attacker could complete their objective. The most common malware variants observed so far in 2026 include CastleLoader (14.3%), NetSupport RAT (6.1%), and Vidar Stealer (3.2%).
Analyst Note: ClickFix attacks can escalate from a single click to serious business risk and can result in potential downtime, loss of information, and more. Campaigns relying on ClickFix attacks have proven to be scalable and have continued to evolve and increase in adoption. The Blackpoint SOC has successfully identified these incidents each time; this campaign highlights why rapid detection and response at the endpoint level is critical; without it, these incidents could have led to full system compromise, stolen data, and/or the deployment of second stage malware, including ransomware.
DATE PUBLISHEDJuly 7, 2026
AUTHORBlackpoint Cyber
SHARE ON
2026 Annual Threat Report
What actually worked for attackers in 2025.
Most attackers aren’t breaking in
They’re logging in
Explore the real patterns behind modern intrusions in the 2026 Annual Threat Report