CastleRAT

Written by The Hivemind | Sep 15, 2025 6:37:49 PM

Verticals Targeted: Not specified
Regions Targeted: US
Related Families: CastleLoader

Executive Summary

TAG-150 is a sophisticated threat actor that has been deploying CastleLoader, CastleBot, and the newly identified CastleRAT since March 2025, leveraging a multi-tiered infrastructure and advanced phishing tactics. The sophistication of their malware and operations emphasizes the need for robust detection and mitigation strategies to counter their evolving malware ecosystem.

Key Takeaways

TAG-150 operates a complex, multi-tiered infrastructure supporting malware like CastleLoader, CastleBot, and CastleRAT, with victim-facing Tier 1 C2 servers and higher-tier backup systems.
CastleRAT, available in Python and C variants, is a versatile remote access trojan capable of system reconnaissance, payload execution, and command execution via CMD and PowerShell.
TAG-150 employs Cloudflare-themed “ClickFix” phishing and fraudulent GitHub repositories, achieving a 28.7% infection rate among engaged victims.
The group leverages services like Kleenscan, temp.sh, and Steam Community for anti-detection and C2 operations, indicating high operational adaptability.

What is CastleRAT?

Since March 2025, the threat actor tracked as TAG-150 has demonstrated significant technical sophistication, rapidly evolving its malware and infrastructure to target systems, primarily in the United States. Insikt Group’s analysis reveals a multi-tiered infrastructure, including victim-facing Tier 1 command-and-control (C2) servers and higher-tier systems (Tiers 2–4) likely used for management and backup. This infrastructure supports a range of malware, including CastleLoader, CastleBot, and the newly documented CastleRAT, a remote access trojan (RAT) with Python and C variants.

TAG-150’s operations often begin with phishing campaigns, notably Cloudflare-themed “ClickFix” attacks and fraudulent GitHub repositories posing as legitimate software. These lures trick users into executing malicious PowerShell commands, achieving a 28.7% infection rate among those interacting with the malicious links. CastleLoader, a key initial vector, delivers secondary payloads like SectopRAT, WarmCookie, and various infostealers. The newly identified CastleRAT enhances TAG-150’s capabilities, with the Python variant (also known as PyNightshade) focusing on lightweight functionality, such as system information collection and command execution, while the C variant adds advanced features like keylogging and screen capturing. Both variants use RC4 encryption with hard-coded 16-byte keys and query the ip-api.com geolocation service to gather victim data.

The infrastructure is extensive, with Tier 1 C2 servers hosted by providers like FEMO IT SOLUTIONS LIMITED and Eonix Corporation, using domains registered via NameCheap and TUCOWS. CastleLoader C2 servers typically operate on port 80, with admin panels on port 5050 or 9999, while CastleRAT servers use ports 443, 7777, and 33336. Higher-tier servers (Tiers 2–4) facilitate management, with some direct connections bypassing intermediate layers, suggesting operational flexibility or multiple operators. A Russian residential IP, linked to AS35807, communicates with Tox servers, indicating internal coordination via secure messaging.

TAG-150’s ecosystem includes services like Kleenscan for anti-detection, temp.sh for file sharing, and Steam Community for C2 dead drops, showcasing adaptability to evade detection. A potential link to Play Ransomware was noted, with a WarmCookie C2 server tied to a known ransomware victim, though no definitive connection has been established. PolySwarm analysts consider CastleRAT to be an emerging threat.