The cyber threat landscape has witnessed a significant development with the emergence of CastleRAT, a remote access trojan (RAT) engineered by the threat actor group known as TAG-150. This sophisticated malware is available in both Python and C programming languages, underscoring the group’s commitment to expanding their malicious capabilities.
CastleRAT’s primary functions include:
– System Information Collection: Gathering detailed data about the infected system to tailor subsequent malicious activities.
– Payload Management: Downloading and executing additional malicious payloads to enhance the malware’s functionality.
– Command Execution: Running commands via Command Prompt (CMD) and PowerShell, granting attackers extensive control over compromised systems.
Recorded Future’s Insikt Group has been closely monitoring TAG-150, noting that the group has been active since at least March 2025. Their operations have been characterized by the deployment of CastleLoader, a malware-as-a-service (MaaS) framework that serves as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders.
CastleLoader first came to public attention in July 2025, when Swiss cybersecurity firm PRODAFT documented its use in campaigns distributing malware such as DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. Further analysis by IBM X-Force in August 2025 revealed that CastleLoader has also been utilized to deliver MonsterV2 and WARMCOOKIE through tactics like search engine optimization (SEO) poisoning and the creation of fraudulent GitHub repositories that mimic legitimate software.
TAG-150 employs a variety of deceptive techniques to initiate infections. One notable method is the ClickFix phishing attack, which involves domains that impersonate software development libraries, online meeting platforms, browser update alerts, and document verification systems. These tactics are designed to trick users into downloading and executing malicious payloads, thereby facilitating the spread of their malware.
The development of CastleRAT began in March 2025, with TAG-150 establishing a multi-tiered command-and-control (C2) infrastructure. This setup includes:
– Tier 1 Servers: Directly interact with infected systems, issuing commands and receiving data.
– Tier 2 and Tier 3 Servers: Primarily virtual private servers (VPSes) that act as intermediaries, relaying information between Tier 1 servers and the attackers.
– Tier 4 Servers: Serve as backup servers to ensure the resilience and continuity of operations.
A distinctive feature of CastleRAT is its use of Steam Community profiles as dead drop resolvers. This technique involves embedding C2 server addresses within seemingly innocuous profiles, such as programsbookss[.]com, to evade detection and maintain communication with infected systems.
The two variants of CastleRAT—one written in C and the other in Python (also referred to as PyNightshade)—exhibit differences in functionality. The C variant offers a broader range of capabilities, including:
– Keystroke Logging: Recording user inputs to capture sensitive information.
– Screenshot Capture: Taking images of the user’s screen to monitor activities.
– File Management: Uploading and downloading files to and from the infected system.
– Cryptocurrency Clipping: Replacing cryptocurrency wallet addresses copied to the clipboard with those controlled by the attacker, redirecting funds during transactions.
Both variants query the IP geolocation service ip-api[.]com to collect information based on the infected host’s public IP address. The C variant, however, gathers additional data, including the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or TOR node. Recent updates have seen the removal of city and ZIP code queries, indicating ongoing development and refinement of the malware.
eSentire, a Canadian cybersecurity company, has been tracking the Python variant under the name NightshadeC2. Their analysis describes it as a botnet deployed via a .NET loader that employs techniques like User Account Control (UAC) Prompt Bombing to bypass security measures. Some variants have been found with features to extract passwords and cookies from web browsers based on the Chromium and Gecko engines.
The infection process typically involves the following steps:
1. Initial Access: The victim is tricked into downloading a malicious file through phishing emails, fraudulent websites, or compromised software repositories.
2. Execution: Upon execution, the malware establishes communication with the C2 infrastructure, often using techniques like dead drop resolvers to retrieve the actual C2 server addresses.
3. Payload Deployment: The malware downloads and executes additional payloads, which may include information stealers, additional RATs, or other malicious tools.
4. Persistence and Control: The malware implements mechanisms to maintain persistence on the infected system and allows the attacker to execute commands, exfiltrate data, and perform other malicious activities.
The development and deployment of CastleRAT by TAG-150 highlight the evolving nature of cyber threats and the increasing sophistication of malware campaigns. Organizations and individuals must remain vigilant, employing robust cybersecurity measures, regular system updates, and user education to mitigate the risks posed by such advanced threats.
