CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

TAG-150 Expands Operations with CastleRAT, a New Remote Access Trojan

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

TAG-150, a threat actor behind the CastleLoader malware-as-a-service (MaaS) framework, has developed a new remote access trojan (RAT) named CastleRAT. This malware, available in both Python and C variants, is designed to collect system information, execute commands, and download additional payloads. CastleRAT has been in development since March 2025 and is part of a multi-tiered infrastructure used by TAG-150. The malware has been distributed through phishing attacks, fraudulent GitHub repositories, and malicious websites advertising fake software. The C variant of CastleRAT includes advanced features such as keystroke logging, screenshot capture, and cryptocurrency clipper functionality. The Python variant, also known as PyNightshade, is tracked by eSentire as NightshadeC2. Recent iterations of the C variant have removed certain data collection features, indicating ongoing development. CastleRAT is deployed using a .NET loader that employs UAC Prompt Bombing to bypass security protections. The malware has been observed in various campaigns distributing secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various malware families. CastleLoader has been used in over 1,600 attacks, with a 28.7% success rate, targeting critical infrastructure, including U.S. government agencies. CastleLoader has also been linked to a Play Ransomware attack against a French organization. TAG-150 operates with a limited user base, promoting its services within closed circles to avoid detection.

Timeline

  1. 05.09.2025 21:28 πŸ“° 1 articles Β· ⏱ 11d ago

    TAG-150 Distributes CastleLoader in Over 1,600 Attacks

    CastleLoader has been used in over 1,600 attacks, with a 28.7% success rate, targeting critical infrastructure, including U.S. government agencies. CastleLoader has also been linked to a Play Ransomware attack against a French organization. TAG-150 operates with a limited user base, promoting its services within closed circles to avoid detection.

    Show sources
    Open in new tab
  2. 05.09.2025 17:07 πŸ“° 2 articles Β· ⏱ 11d ago

    TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Operations

    TAG-150, a threat actor behind the CastleLoader malware-as-a-service (MaaS) framework, has developed a new remote access trojan (RAT) named CastleRAT. This malware, available in both Python and C variants, is designed to collect system information, execute commands, and download additional payloads. CastleRAT has been in development since March 2025 and is part of a multi-tiered infrastructure used by TAG-150. The malware has been distributed through phishing attacks, fraudulent GitHub repositories, and malicious websites advertising fake software. The C variant of CastleRAT includes advanced features such as keystroke logging, screenshot capture, and cryptocurrency clipper functionality. The Python variant, also known as PyNightshade, is tracked by eSentire as NightshadeC2. Recent iterations of the C variant have removed certain data collection features, indicating ongoing development. CastleRAT is deployed using a .NET loader that employs UAC Prompt Bombing to bypass security protections. The malware has been observed in various campaigns distributing secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various malware families. CastleLoader has been used in over 1,600 attacks, with a 28.7% success rate, targeting critical infrastructure, including U.S. government agencies. CastleLoader has also been linked to a Play Ransomware attack against a French organization. TAG-150 operates with a limited user base, promoting its services within closed circles to avoid detection. The group is likely to develop and release additional malware in the near term and may expand its distribution efforts.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Open in new tab

Phishing campaign using SVG files to deploy Base64-encoded pages

A new malware campaign has been identified using Scalable Vector Graphics (SVG) files to deploy phishing pages. The SVG files, distributed via email, impersonate the Colombian judicial system and execute a JavaScript payload to inject a Base64-encoded HTML phishing page. This page mimics an official government document download process while downloading a ZIP archive in the background. The campaign has been active since at least August 14, 2025, and includes 523 unique SVG files that have evaded antivirus detection. The campaign is part of a broader trend where attackers are targeting macOS users with information stealers like Atomic macOS Stealer (AMOS). This stealer can exfiltrate a wide range of sensitive data, including credentials, browser data, and cryptocurrency wallets. The attackers use cracked software and ClickFix-style tactics to lure users into infecting their systems, bypassing macOS's Gatekeeper protections.

Open in new tab

APT28 Exploits Microsoft Outlook with NotDoor Backdoor Malware

APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. NotDoor leverages Outlook as a covert communication, data exfiltration, and malware delivery channel. The malware is deployed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The backdoor is triggered by specific strings in incoming emails, allowing attackers to execute commands, exfiltrate data, and upload files. NotDoor illustrates APT28's continued evolution in bypassing established defense mechanisms. The malware has been observed targeting multiple companies from different sectors in NATO member countries. NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives. The malware supports four different commands: cmd, cmdno, dwn, and upl. Files exfiltrated by the malware are saved in the folder, encoded using the malware's custom encryption, sent via email, and then deleted from the system. The attacks are notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms) as C2 domains for added stealth. Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads.

Open in new tab

Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers

Two malicious npm packages, colortoolsv2 and mimelib2, were discovered in July 2025. These packages exploited Ethereum smart contracts to install downloader malware on compromised systems. The packages were part of a broader campaign targeting cryptocurrency developers, leveraging GitHub repositories to distribute the malware. The campaign used social engineering and deception to trick developers into using the malicious packages. The GitHub repositories and accounts involved were part of a distribution-as-service (DaaS) network called Stargazers Ghost Network. The packages were uploaded to npm in July 2025 and were no longer available for download at the time of discovery. The malicious behavior was triggered when the packages were included in other projects, fetching and running a payload from an attacker-controlled server. The campaign targeted cryptocurrency developers and users, using GitHub repositories that claimed to offer automated trading bots.

Open in new tab