TAG-150 Expands Operations with CastleRAT in Python and C
Summary
Hide â˛
Show âŧ
The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.
Timeline
-
05.09.2025 17:07 đ° 2 articles
TAG-150 Develops CastleRAT in Python and C
TAG-150, the threat actor behind CastleLoader, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, with the C variant including additional functionalities such as keylogging and cryptocurrency clipping. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. It uses Steam Community profiles as dead drop resolvers for C2 servers. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The article provides detailed insights into TAG-150's operations, including the development and distribution of CastleRAT. It highlights the group's targeting of critical infrastructure, the use of multiple commercial infostealers and backdoors, and the link to a Play Ransomware attack. The article also discusses the differences between the C and Python variants of CastleRAT, as well as the group's likely future activities. The article reveals that TAG-150 has been active since at least March 2025, using CastleLoader in over 1,600 attacks with a 28.7% success rate. The group's operations include distributing multiple commercial infostealers and backdoors, such as RedLine, StealC, DeerStealer, HijackLoader, MonsterV2, SectopRAT, WarmCookie, and NetSupport. The article also discusses the group's use of Steam Community profiles as dead drop resolvers for C2 servers and the likely future development and release of additional malware.
Show sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
Information Snippets
-
TAG-150, the threat actor behind CastleLoader, has developed CastleRAT, a remote access trojan available in Python and C variants.
First reported: 05.09.2025 17:07đ° 2 sources, 2 articlesShow sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
-
CastleRAT's core functionality includes collecting system information, executing commands, and downloading additional payloads.
First reported: 05.09.2025 17:07đ° 2 sources, 2 articlesShow sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
-
CastleRAT is distributed through Cloudflare-themed 'ClickFix' phishing attacks and fraudulent GitHub repositories.
First reported: 05.09.2025 17:07đ° 2 sources, 2 articlesShow sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
-
The C variant of CastleRAT includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality.
First reported: 05.09.2025 17:07đ° 2 sources, 2 articlesShow sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
-
CastleRAT uses Steam Community profiles as dead drop resolvers for C2 servers.
First reported: 05.09.2025 17:07đ° 2 sources, 2 articlesShow sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
-
TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads.
First reported: 05.09.2025 17:07đ° 2 sources, 2 articlesShow sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
-
CastleLoader has been used to distribute DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, Hijack Loader, MonsterV2, and WARMCOOKIE.
First reported: 05.09.2025 17:07đ° 2 sources, 2 articlesShow sources
- TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations â thehackernews.com â 05.09.2025 17:07
- Secretive MaaS Group 'TAG-150' Develops Novel 'CastleRAT' â www.darkreading.com â 05.09.2025 21:28
Similar Happenings
ChillyHell macOS Backdoor Resurfaces with New Capabilities
The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.
APT28 deploys NotDoor backdoor via Microsoft Outlook
APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. The malware exploits Outlook as a covert communication, data exfiltration, and malware delivery channel. NotDoor is a VBA macro that monitors incoming emails for specific trigger words. When triggered, it allows attackers to exfiltrate data, upload files, and execute commands on the victim's computer. The malware is delivered via a legitimate signed binary, Microsoft's OneDrive.exe, vulnerable to DLL sideloading. The backdoor was identified by researchers from Lab52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo. The malware has been deployed against companies in NATO member countries, using advanced techniques to evade detection and maintain persistence. NotDoor supports multiple commands for data exfiltration and file uploads, and uses Base64-encoded PowerShell commands for various operations. The malware creates a staging folder in the %TEMP% directory to store and exfiltrate files, encoding them with custom encryption before sending via email. APT28's attacks involve the abuse of Microsoft Dev Tunnels for C2 infrastructure, providing stealth and rapid infrastructure rotation. The attack chain includes the use of bogus Cloudflare Workers domains to distribute additional payloads, demonstrating a high level of specialized design and obfuscation.
Lazarus Group Deploys PondRAT, ThemeForestRAT, and RemotePE in DeFi Sector Attack
The North Korea-linked Lazarus Group targeted a decentralized finance (DeFi) organization in 2024 using a social engineering campaign that deployed three distinct malware families: PondRAT, ThemeForestRAT, and RemotePE. The attack began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections. The attack progressed through multiple stages, employing different remote access trojans (RATs) to maintain stealth and control. The initial compromise involved the deployment of PondRAT, a simplified variant of POOLRAT, which facilitated further infiltration. ThemeForestRAT was used for more advanced tasks, and RemotePE, a sophisticated RAT, was deployed for high-value targets. The attack showcased the group's evolving tactics and the use of multiple malware families to achieve their objectives.
ScarCruft's RokRAT Malware Campaign Targeting South Korean Academics
ScarCruft (APT37) has launched a phishing campaign, dubbed Operation HanKook Phantom, targeting South Korean academics and researchers. The campaign uses RokRAT malware to steal sensitive information and conduct espionage. The attacks involve spear-phishing emails with malicious ZIP attachments that drop RokRAT onto compromised systems. The malware exfiltrates data via cloud services. The campaign specifically targets individuals associated with the National Intelligence Research Association, including academics, former government officials, and researchers. The attacks aim to steal sensitive information, establish persistence, or conduct espionage. The malware is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads.
Espionage campaign targets Eastern Asia via hijacked Sogou Zhuyin update server
An espionage campaign has been targeting users in Eastern Asia by exploiting an abandoned Sogou Zhuyin update server. The attackers, identified as TAOTH, have been distributing multiple malware families, including C6DOOR and GTELAM, to gather sensitive information from high-value targets such as dissidents, journalists, and technology leaders. The campaign began in October 2024 and has primarily affected users in Taiwan, Cambodia, and the U.S. The attackers hijacked the lapsed domain associated with Sogou Zhuyin, a discontinued input method editor (IME) software, to deliver malicious updates. The malware families deployed include RATs, spyware, and backdoors, which enable remote access, information theft, and backdoor functionality. The attackers also used legitimate cloud services to conceal their activities and exfiltrate data. The infection chain starts with users downloading the official Sogou Zhuyin installer, which triggers a malicious update process. The campaign has been ongoing since June 2025, with several hundred victims impacted. The attackers have been conducting reconnaissance to identify valuable targets and have not yet engaged in further post-exploitation activities on most systems.