TAG-150 has been deploying CastleLoader, CastleBot, and a newly identified CastleRAT (Python and C variants) since March 2025 using a multi-tiered infrastructure and phishing lures like Cloudflare-themed “ClickFix” and fake GitHub repositories. CastleRAT provides reconnaissance, command execution, and advanced capabilities (keylogging, screen capture) while leveraging services such as Kleenscan, temp.sh, and Steam Community for anti-detection and C2 operations. #CastleRAT #CastleLoader
Keypoints
- TAG-150 operates a multi-tiered infrastructure (Tier 1 victim-facing C2s and higher-tier management/backup servers) supporting CastleLoader, CastleBot, and CastleRAT.
- CastleRAT exists in Python (PyNightshade) and C variants; Python focuses on lightweight reconnaissance and command execution, C adds keylogging and screen capture.
- Initial access commonly achieved via Cloudflare-themed “ClickFix” phishing and fraudulent GitHub repositories delivering malicious PowerShell commands, with a reported 28.7% infection rate among engaged victims.
- CastleLoader acts as an initial loader delivering secondary payloads such as SectopRAT, WarmCookie, and multiple infostealers.
- Infrastructure details: Tier 1 C2s hosted by providers like FEMO IT SOLUTIONS LIMITED and Eonix Corporation; domains via NameCheap and TUCOWS; ports include 80, 443, 5050, 7777, 9999, and 33336.
- TAG-150 uses third-party services (Kleenscan, temp.sh, Steam Community) for anti-detection, file sharing, and C2 dead drops, indicating operational adaptability.
- Possible, but unconfirmed, connections to Play Ransomware via WarmCookie C2 overlap; PolySwarm flags CastleRAT as an emerging threat.
MITRE Techniques
- [T1566] Phishing – Used Cloudflare-themed “ClickFix” phishing and fraudulent GitHub repositories to trick users into executing malicious PowerShell commands: ‘Cloudflare-themed “ClickFix” attacks and fraudulent GitHub repositories posing as legitimate software.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – Malicious PowerShell commands were executed as part of the initial lure to deploy payloads: ‘trick users into executing malicious PowerShell commands.’
- [T1105] Ingress Tool Transfer – CastleLoader delivers secondary payloads (SectopRAT, WarmCookie, infostealers) to infected hosts: ‘CastleLoader, a key initial vector, delivers secondary payloads like SectopRAT, WarmCookie, and various infostealers.’
- [T1027.002] Obfuscated Files or Information: Encryption – CastleRAT variants use RC4 encryption with hard-coded 16-byte keys to protect communications or payloads: ‘Both variants use RC4 encryption with hard-coded 16-byte keys.’
- [T1016] System Network Configuration Discovery – CastleRAT queries ip-api.com geolocation service to gather victim data: ‘query the ip-api.com geolocation service to gather victim data.’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 servers communicate over common web ports (80, 443) and other ports for C2 operations: ‘CastleLoader C2 servers typically operate on port 80… CastleRAT servers use ports 443, 7777, and 33336.’
- [T1090] Proxy – Use of third-party services (temp.sh, Steam Community) as dead drops or file-sharing channels to obfuscate C2 and evade detection: ‘temp.sh for file sharing, and Steam Community for C2 dead drops.’
Indicators of Compromise
- [File Hash ] CastleRAT and related samples reported by PolySwarm – 5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318, 3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063, and other hashes (and 12 more hashes).
- [Domain / Service ] Infrastructure and hosting contexts – Domains registered via NameCheap and TUCOWS; use of services like temp.sh and Steam Community for C2/file sharing.
- [Hosting Provider / ASN ] C2 hosting and networking – Tier 1 C2s hosted by FEMO IT SOLUTIONS LIMITED and Eonix Corporation; a Russian residential IP linked to AS35807 communicating with Tox servers.
- [Network Port ] C2 communication ports – CastleLoader C2s on port 80 (admin panels on 5050 or 9999); CastleRAT C2s on 443, 7777, and 33336.
Read more: https://blog.polyswarm.io/castlerat