Black Friday deals are rolling in, and so are the phishing scams

As the world gears up for Black Friday and the festive shopping season, inboxes flood with deals and delivery notifications, creating a perfect storm for phishing attackers to strike.

Contributing to the confusion, legitimate brands often rely on similar urgency cues, limited-time offers, and high-volume email campaigns used by scammers, blurring the lines between real deals and malicious lookalikes. While security teams remain extra vigilant during this period, the risk of phishing emails slipping in unnoticed remains high, as does the risk of individuals clicking to take advantage of holiday shopping offers.

Analysis conducted by Darktrace’s global analyst team revealed that phishing attacks taking advantage of Black Friday jumped by 620% in the weeks leading up to the holiday weekend, with the volume of phishing attacks expected to jump a further 20-30% during Black Friday week itself.

First observation: Brand impersonation

Brand impersonation was one of the techniques that stood out, with threat actors creating convincing emails – likely assisted by generative AI – purporting to be from household brands including special offers and promotions.

The week before Thanksgiving (15-21 November) saw 201% more phishing attempts mimicking US retailers than the same week in October, as attackers sought to profit off the back of the busy holiday shopping season. It’s not just about volume, either – attackers are spoofing brands people love to shop with during the holidays. Fake emails that look like they’re from well-known retailers like Macy’s, Walmart, and Target were up by 54% just across last week¹. Even so, Amazon is the most impersonated brand, making up 80% of phishing attempts in Darktrace’s analysis of global consumer brands like Apple, Alibaba and Netflix.  

While major brands invest heavily in protecting their organizations and customers from cyber-attacks, impersonation is a complicated area as it falls outside of a brand’s legitimate infrastructure and security remit. Retail brands have a huge attack surface, creating plenty of vectors for impersonation, while fake domains, social profiles, and promotional messages can be created quickly and at scale.

Second observation: Fake marketing domains

One prominent Black Friday phishing campaign observed landing in many inboxes uses fake domains purporting to be from marketing sites, like “Pal.PetPlatz.com” and “Epicbrandmarketing.com”.

These emails tend to operate in one of two ways. Some contain “deals” for luxury items such as Rolex watches or Louis Vuitton handbags, designed to tempt readers into clicking. However, the majority are tied to a made-up brand called Deal Watchdogs, which promotes “can’t-miss” Amazon Black Friday offers – designed to lure readers into acting fast to secure legitimate time-sensitive deals. Any user who clicks a link is taken to a fake Amazon website where they are tricked into inputting sensitive data and payment details.

Third observation: The impact of generative AI

The biggest shift seen in phishing in recent years is how much more convincing scam emails are thanks to generative AI. 27% of phishing emails observed by Darktrace in 2024 contained over 1,000 characters², suggesting LLM use in their creation. Tools like ChatGPT and Gemini lower the barrier to entry for cyber-criminals, allowing them to create phishing campaigns that humans find it difficult to spot.  

Let’s take a look at a dummy email created by a member of our team without a technical background to illustrate how easy it is to spin up an email that looks and feels like a genuine Black Friday offer. With two prompts, generative AI created a convincing “sale” email that could easily pass as the real thing without requiring any technical skill.

Anyone can now create convincing brand spoofs, and they can do it at scale. That makes it even more important for email users to pause, check the sender, and think before they click.

Why phishing scams hurt consumers and brands

These spoofs don’t just drain shoppers’ bank accounts and grab their personal data. They erode trust, drive people away from real sites, and ultimately hurt brands’ sales. And the fakes keep getting sharper, more convincing, and harder to spot.

Though brands should implement email controls like DMARC to help reduce spoofing, they can’t stop attackers from registering new look-alike domains or using other channels. At the end of the day, human users remain vulnerable to well-crafted scams, particularly when the element of trust from a well-known brand is involved. And while brands can’t prevent all impersonation scams, the fallout can still erode consumer trust and damage their reputation.

In order to limit the impact of these scams, two things need to work together: better education so consumers know when to slow down and look twice, and email security (plus a DMARC solution and an attack surface management tool) that can adapt faster than the attackers – protecting both shoppers and the brands they love.

Tips to stay safe while Black Friday shopping online

On top of retailers implementing robust email security, there are some simple steps shoppers can take to stay safer while shopping this holiday season.

• Check every website (twice). Scammers make tiny changes you can barely see. They’ll switch Walmart.com for Waimart.com and most people won’t notice. If something looks even slightly off, check the URL carefully and, if you’re unsure, search for reviews of that exact address.
• Santa keeps the real gifts in the workshop. Don’t just click through from sales emails. Use them as a prompt to log in directly to the official app or site, where any genuine notifications will appear.
• Look at the payment options. Real retailers usually offer a handful of recognizable ways to pay; if a site pushes only odd methods or upfront transfers, don’t use it.
• Be skeptical of Christmas miracles. If a deal on a big-ticket item looks too good to be true, it usually is.
• Leave the rushing to the elves. Countdown timers and “last chance” banners are designed to make you click before you think. Take a breath, double-check the sender and the site, and then decide whether to buy.

Email security you can trust this holiday season

The heightened holiday shopping season shines a spotlight on an uncomfortable reality: now that phishing emails are harder than ever to distinguish from legitimate brand communication, traditional spam filters and Secure Email Gateways struggle to keep up. In order to protect against communication-based attacks, organizations require email security that can evaluate the full context of an email – not just surface-level indicators – and stop malicious messages before they reach inboxes.

Darktrace / EMAIL uses Self-Learning AI to understand the behavior and patterns of every user, so it can detect the subtle inconsistencies that reveal a message isn’t genuine, from shifts in tone and writing style to unexpected links, unfamiliar senders, or off-brand visual cues. By identifying these anomalies automatically – and either holding them entirely, or neutralizing malicious elements – it removes the burden from employees to catch near-imperceptible errors and reinforces protection for the entire organization, from staff to customers to brand reputation.

Join our live broadcast on 9 December, where Darktrace will reveal new, industry-first innovations in email security keeping organizations safe this Christmas – from DMARC to DLP. Sign up to the live launch event now.

‍

A note on methodology

Insights derive from anonymous live data across 6,500 customers protected by Darktrace / EMAIL. Darktrace created models tracking verified phishing emails that:

• Explicitly mentioned Black Friday
• Impersonated US retailers popular during the holiday season (Walmart, Target, Best Buy, Macy's, Old Navy, 1800-Flowers)
• Impersonated major global brands (Apple, eBay, Netflix, Alibaba and PayPal)

Tracking ran from October 1 to November 21.

‍

References

[1] Based on live tracking of phishing emails spoofing Walmart, Target, Best Buy, Macy's, Old Navy, 1800-Flowers across email inboxes protected by Darktrace.  November 15 – November 21, 2025

[2] Based on analysis of 30.4 million phishing emails between December 21, 2023, and December 18, 2024. Darktrace Annual Threat Report 2024.

[related-resource]

What is TAG-150?

TAG-150, a relatively new Malware-as-a-Service (MaaS) operator, has been active since March 2025, demonstrating rapid development and an expansive, evolving infrastructure designed to support its malicious operations. The group employs two custom malware families, CastleLoader and CastleRAT, to compromise target systems, with a primary focus on the United States [1]. TAG-150’s infrastructure included numerous victim-facing components, such as IP addresses and domains functioning as command-and-control (C2) servers associated with malware families like SecTopRAT and WarmCookie, in addition to CastleLoader and CastleRAT [2].

As of May 2025, CastleLoader alone had infected a reported 469 devices, underscoring the scale and sophistication of TAG-150’s campaign [1].

What are CastleLoader and CastleRAT?

CastleLoader is a loader malware, primarily designed to download and install additional malware, enabling chain infections across compromised systems [3]. TAG-150 employs a technique known as ClickFix, which uses deceptive domains that mimic document verification systems or browser update notifications to trick victims into executing malicious scripts. Furthermore, CastleLoader leverages fake GitHub repositories that impersonate legitimate tools as a distribution method, luring unsuspecting users into downloading and installing malware on their devices [4].

CastleRAT, meanwhile, is a remote access trojan (RAT) that serves as one of the primary payloads delivered by CastleLoader. Once deployed, CastleRAT grants attackers extensive control over the compromised system, enabling capabilities such as keylogging, screen capturing, and remote shell access.

TAG-150 leverages CastleLoader as its initial delivery mechanism, with CastleRAT acting as the main payload. This two-stage attack strategy enhances the resilience and effectiveness of their operations by separating the initial infection vector from the final payload deployment.

How are they deployed?

Castleloader uses code-obfuscation methods such as dead-code insertion and packing to hinder both static and dynamic analysis. After the payload is unpacked, it connects to its command-and-control server to retrieve and running additional, targeted components.

Its modular architecture enables it to function both as a delivery mechanism and a staging utility, allowing threat actors to decouple the initial infection from payload deployment. CastleLoader typically delivers its payloads as Portable Executables (PEs) containing embedded shellcode. This shellcode activates the loader’s core module, which then connects to the C2 server to retrieve and execute the next-stage malware.[6]

Following this, attackers deploy the ClickFix technique, impersonating legitimate software distribution platforms like Google Meet or browser update notifications. These deceptive sites trick victims into copying and executing PowerShell commands, thereby initiating the infection kill chain. [1]

When a user clicks on a spoofed Cloudflare “Verification Step” prompt, a background request is sent to a PHP script on the distribution domain (e.g., /s.php?an=0). The server’s response is then automatically copied to the user’s clipboard using the ‘unsecuredCopyToClipboard()’ function. [7].

The Python-based variant of CastleRAT, known as “PyNightShade,” has been engineered with stealth in mind, showing minimal detection across antivirus platforms [2]. As illustrated in Figure 1, PyNightShade communicates with the geolocation API service ip-api[.]com, demonstrating both request and response behavior

Darktrace Coverage

In mid-2025, Darktrace observed a range of anomalous activities across its customer base that appeared linked to CastleLoader, including the example below from a US based organization.

The activity began on June 26, when a device on the customer’s network was observed connecting to the IP address 173.44.141[.]89, a previously unseen IP for this network along with the use of multiple user agents, which was also rare for the user.  It was later determined that the IP address was a known indicator of compromise (IoC) associated with TAG-150’s CastleRAT and CastleLoader operations [2][5].

The device was observed downloading two scripts from this endpoint, namely ‘/service/download/data_5x.bin’ and ‘/service/download/data_6x.bin’, which have both been linked to CastleLoader infections by open-source intelligence (OSINT) [8]. The archives contains embedded shellcode, which enables attackers to execute arbitrary code directly in memory, bypassing disk writes and making detection by endpoint detection and response (EDR) tools significantly more difficult [2].

In addition to this, the affected device exhibited a high volume of internal connections to a broad range of endpoints, indicating potential scanning activity. Such behavior is often associated with reconnaissance efforts aimed at mapping internal infrastructure.

Darktrace / NETWORK correlated these behaviors and generated an Enhanced Monitoring model, a high-fidelity security model designed to detect activity consistent with the early stages of an attack. These high-priority models are continuously monitored and triaged by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection and Managed Detection & Response services, ensuring that subscribed customers are promptly alerted to emerging threats.

Darktrace Autonomous Response

Fortunately, Darktrace’s Autonomous Response capability was fully configured, enabling it to take immediate action against the offending device by blocking any further connections external to the malicious endpoint, 173.44.141[.]89. Additionally, Darktrace enforced a ‘group pattern of life’ on the device, restricting its behavior to match other devices in its peer group, ensuring it could not deviate from expected activity, while also blocking connections over 443, shutting down any unwanted internal scanning.

Conclusion

The rise of the MaaS ecosystem, coupled with attackers’ growing ability to customize tools and techniques for specific targets, is making intrusion prevention increasingly challenging for security teams. Many threat actors now leverage modular toolkits, dynamic infrastructure, and tailored payloads to evade static defenses and exploit even minor visibility gaps. In this instance, Darktrace demonstrated its capability to counter these evolving tactics by identifying early-stage attack chain behaviors such as network scanning and the initial infection attempt. Autonomous Response then blocked the CastleLoader IP delivering the malicious ZIP payload, halting the attack before escalation and protecting the organization from a potentially damaging multi-stage compromise

Credit to Ahmed Gardezi (Cyber Analyst) Tyler Rhea (Senior Cyber Analyst)
Edited by Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

• Anomalous Connection / Unusual Internal Connections
• Anomalous File / Zip or Gzip from Rare External Location
• Anomalous File / Script from Rare External Location
• Initial Attack Chain Activity (Enhanced Monitoring Model)

MITRE ATT&CK Mapping

• T15588.001 - Resource Development – Malware
• TG1599 – Defence Evasion – Network Boundary Bridging
• T1046 – Discovery – Network Service Scanning
• T1189 – Initial Access

List of IoCs
IoC - Type - Description + Confidence

• 173.44.141[.]89 – IP – CastleLoader C2 Infrastructure
• 173.44.141[.]89/service/download/data_5x.bin – URI – CastleLoader Script
• 173.44.141[.]89/service/download/data_6x.bin – URI  - CastleLoader Script
• wsc.zip – ZIP file – Possible Payload

References

[1] - https://blog.polyswarm.io/castleloader

[2] - https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

[3] - https://www.pcrisk.com/removal-guides/34160-castleloader-malware

[4] - https://www.scworld.com/brief/malware-loader-castleloader-targets-devices-via-fake-github-clickfix-phishing

[5] https://www.virustotal.com/gui/ip-address/173.44.141.89/community

[6] https://thehackernews.com/2025/07/castleloader-malware-infects-469.html

[7] https://www.cryptika.com/new-castleloader-attack-using-cloudflare-themed-clickfix-technique-to-infect-windows-computers/

[8] https://www.cryptika.com/castlebot-malware-as-a-service-deploys-range-of-payloads-linked-to-ransomware-attacks/