TAG-150 Enhances CastleRAT Functionality Using Python and C, Expanding the Capabilities of CastleLoader Malware

ByAdmin

The threat actor known as TAG-150 is behind the malware-as-a-service (MaaS) framework and loader called CastleLoader, as well as a remote access trojan (RAT) named CastleRAT. CastleRAT is available in both Python and C variants, with its core functionalities including the collection of system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell. TAG-150 has been active since at least March 2025, and CastleLoader is viewed as an initial access vector for various secondary payloads, such as remote access trojans and information stealers. CastleLoader was first documented by Swiss cybersecurity company PRODAFT in July 2025, and it has been used in campaigns distributing malware like DeerStealer, RedLine, and NetSupport RAT. Recent analyses have revealed that CastleLoader also facilitates the distribution of MonsterV2 and WARMCOOKIE through SEO poisoning and fraudulent GitHub repositories.

Infections typically originate from Cloudflare-themed ‘ClickFix’ phishing attacks or fake GitHub repositories that impersonate legitimate applications. TAG-150 employs a multi-tiered infrastructure, consisting of victim-facing command-and-control (C2) servers and various virtual private servers (VPSes) for additional support. CastleRAT, a recent addition to TAG-150’s toolkit, can download next-stage payloads, enable remote shell capabilities, and even self-delete. It uses Steam Community profiles as dead drop resolvers for hosting C2 servers. The C variant of CastleRAT offers enhanced functionality, including keystroke logging, screenshot capture, and file management, while also acting as a cryptocurrency clipper to redirect transactions. Both variants query the widely abused IP geolocation service ip-api.com to gather extensive information about the infected host’s public IP address, including city, ZIP code, and whether the IP is associated with a VPN, proxy, or TOR. 

Categories: Malware-as-a-Service, Remote Access Trojans, Phishing Attacks 

Tags: CastleLoader, CastleRAT, Malware-as-a-Service, Remote Access Trojan, Phishing Attacks, Command-and-Control, Information Stealers, Cybersecurity, Payloads, Keystroke Logging 

Leave a Reply

Your email address will not be published. Required fields are marked *