Threat Research

CastleRAT_TAG_150_Remote_Access_Trojan

Securonix
CastleRAT_TAG_150_Remote_Access_Trojan

TAG-150 has been deploying CastleLoader, CastleBot, and a newly identified CastleRAT (Python and C variants) since March 2025 using a multi-tiered infrastructure and phishing lures like Cloudflare-themed “ClickFix” and fake GitHub repositories. CastleRAT provides reconnaissance, command execution, and advanced capabilities (keylogging, screen capture) while leveraging services such as Kleenscan, temp.sh, and Steam Community for anti-detection and C2 operations. #CastleRAT #CastleLoader

Keypoints

  • TAG-150 operates a multi-tiered infrastructure (Tier 1 victim-facing C2s and higher-tier management/backup servers) supporting CastleLoader, CastleBot, and CastleRAT.
  • CastleRAT exists in Python (PyNightshade) and C variants; Python focuses on lightweight reconnaissance and command execution, C adds keylogging and screen capture.
  • Initial access commonly achieved via Cloudflare-themed “ClickFix” phishing and fraudulent GitHub repositories delivering malicious PowerShell commands, with a reported 28.7% infection rate among engaged victims.
  • CastleLoader acts as an initial loader delivering secondary payloads such as SectopRAT, WarmCookie, and multiple infostealers.
  • Infrastructure details: Tier 1 C2s hosted by providers like FEMO IT SOLUTIONS LIMITED and Eonix Corporation; domains via NameCheap and TUCOWS; ports include 80, 443, 5050, 7777, 9999, and 33336.
  • TAG-150 uses third-party services (Kleenscan, temp.sh, Steam Community) for anti-detection, file sharing, and C2 dead drops, indicating operational adaptability.
  • Possible, but unconfirmed, connections to Play Ransomware via WarmCookie C2 overlap; PolySwarm flags CastleRAT as an emerging threat.

MITRE Techniques

  • [T1566] Phishing – Used Cloudflare-themed “ClickFix” phishing and fraudulent GitHub repositories to trick users into executing malicious PowerShell commands: ‘Cloudflare-themed “ClickFix” attacks and fraudulent GitHub repositories posing as legitimate software.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Malicious PowerShell commands were executed as part of the initial lure to deploy payloads: ‘trick users into executing malicious PowerShell commands.’
  • [T1105] Ingress Tool Transfer – CastleLoader delivers secondary payloads (SectopRAT, WarmCookie, infostealers) to infected hosts: ‘CastleLoader, a key initial vector, delivers secondary payloads like SectopRAT, WarmCookie, and various infostealers.’
  • [T1027.002] Obfuscated Files or Information: Encryption – CastleRAT variants use RC4 encryption with hard-coded 16-byte keys to protect communications or payloads: ‘Both variants use RC4 encryption with hard-coded 16-byte keys.’
  • [T1016] System Network Configuration Discovery – CastleRAT queries ip-api.com geolocation service to gather victim data: ‘query the ip-api.com geolocation service to gather victim data.’
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 servers communicate over common web ports (80, 443) and other ports for C2 operations: ‘CastleLoader C2 servers typically operate on port 80… CastleRAT servers use ports 443, 7777, and 33336.’
  • [T1090] Proxy – Use of third-party services (temp.sh, Steam Community) as dead drops or file-sharing channels to obfuscate C2 and evade detection: ‘temp.sh for file sharing, and Steam Community for C2 dead drops.’

Indicators of Compromise

  • [File Hash ] CastleRAT and related samples reported by PolySwarm – 5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318, 3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063, and other hashes (and 12 more hashes).
  • [Domain / Service ] Infrastructure and hosting contexts – Domains registered via NameCheap and TUCOWS; use of services like temp.sh and Steam Community for C2/file sharing.
  • [Hosting Provider / ASN ] C2 hosting and networking – Tier 1 C2s hosted by FEMO IT SOLUTIONS LIMITED and Eonix Corporation; a Russian residential IP linked to AS35807 communicating with Tox servers.
  • [Network Port ] C2 communication ports – CastleLoader C2s on port 80 (admin panels on 5050 or 9999); CastleRAT C2s on 443, 7777, and 33336.

Read more: https://blog.polyswarm.io/castlerat