Threat Research

From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure

RecordedFuture
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure

Insikt Group identified a new threat actor, TAG-150, active since March 2025 that operates a large multi-tiered infrastructure and has developed multiple malware families including CastleLoader, CastleBot, and the newly documented CastleRAT. The actor leverages victim-facing C2 servers, file-sharing and anti-detection services (for example Kleenscan and temp[.]sh), and uses techniques like Cloudflare-themed phishing and fraudulent GitHub repositories to deliver payloads. #TAG-150 #CastleRAT

Keypoints

  • TAG-150 has operated since at least March 2025 and runs a large, evolving multi-tiered infrastructure (Tier 1–4) supporting C2 servers and admin panels for multiple malware families.
  • Insikt Group documented a new remote access trojan, CastleRAT, available in Python and C variants with capabilities such as system info collection, remote shell, download-and-execute, and advanced stealing (C variant).
  • Initial infections commonly used Cloudflare-themed “ClickFix” phishing and fraudulent GitHub repositories that trick victims into running malicious PowerShell commands, with an observed 28.7% infection rate among interacting users.
  • TAG-150’s infrastructure hosts many CastleLoader C2 servers and panels (often on ports 80, 5050, 9999) and has been used to deliver numerous secondary payloads including information stealers and other RATs.
  • The group leverages third-party services and tooling such as Kleenscan (anti-detection), temp[.]sh, mega[.]nz, Oxen, and Steam Community pages for C2 dead drops, indicating operational adaptability.
  • Insikt Group observed potential links to Play Ransomware activity via WarmCookie and CastleLoader overlap, but the relationship remains unconfirmed.
  • Defensive recommendations include blocking known IPs/domains, flagging unusual LIS (e.g., Pastebin), deploying Sigma/YARA/Snort rules, email filtering, and monitoring data exfiltration with Recorded Future intelligence.

MITRE Techniques

  • [T1566] Phishing – TAG-150 used Cloudflare-themed “ClickFix” phishing domains that impersonate services to convince victims to execute malicious PowerShell commands (“victims are tricked into copying and executing malicious PowerShell commands on their own devices”).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Initial compromise and payload execution relied on victims running malicious PowerShell commands delivered via phishing or fake repositories (“victims are tricked into copying and executing malicious PowerShell commands on their own devices”).
  • [T1105] Ingress Tool Transfer – CastleRAT and CastleLoader download and execute additional payloads and executables from payload servers and delivery domains (“Download and execution of executables”).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications and deaddrops use HTTP/HTTPS and WebSockets for command-and-control and dead-drop resolution (CastleRAT encapsulating binary protocol within WebSockets; C2 servers exposed on ports 80 and 443).
  • [T1090] Proxy: Tox/Oxen – TAG-150 leveraged privacy/overlay networks and messaging infrastructure such as Oxen and Tox for internal communications (“leveraging the Oxen network (formerly Lokinet)” and “communicating regularly with Tox servers via UDP port 33445”).
  • [T1505] Server Software Component: Abuse of Third-Party Services – Use of Steam Community pages for C2 deaddrops and file-sharing/hosting services (Steam Community dead drops, temp[.]sh, mega[.]nz, Pastebin) to host or resolve C2 artifacts (“C2 deaddrops hosted on Steam Community pages” and use of temp[.]sh, mega[.]nz, pastebin raw URL).
  • [T1112] Modify Registry and T1053] Scheduled Task/Job (persistence) – CastleRAT C variant registers and unregisters persistence mechanisms (listed capabilities include “Register and un-register persistence”).
  • [T1056.001] Input Capture: Keylogging – The CastleRAT C variant includes keylogging functionality (“C variant … includes more advanced stealing capabilities, such as keylogging”).
  • [T1113] Screen Capture – The CastleRAT C variant captures screens (“C variant … includes more advanced stealing capabilities, such as … screen capturing”).
  • [T1078] Valid Accounts – TAG-150 accessed Tier 2 VPS servers via RDP (port 3389), indicating use of remote access credentials or services to move between infrastructure layers (“TAG-150 was observed accessing Tier 2 servers via RDP port 3389”).

Indicators of Compromise

  • [IP Address] CastleLoader C2 and related infrastructure – 62[.]60[.]226[.]73, 107[.]158[.]128[.]45 (and many others listed in Appendix A)
  • [Domain] CastleLoader payload/Panel domains – sftp[.]sagargolf[.]com, panelv1[.]hostingzealoft[.]today
  • [IP Address] CastleRAT C2 servers – 34[.]72[.]90[.]40, 94[.]141[.]122[.]164
  • [Domain/URL] CastleRAT deaddrops (Steam) – steamcommunity[.]com/id/tfy5d6gohu8tgy687r7, steamcommunity[.]com/id/krouvhsin34287f7h3
  • [File Hash – SHA256] CastleLoader samples – 8b7c1657f4d5cf0cc82d68c1f1a385adf0de27d46fc544bba249698e6b427856, e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85 (and 13 more hashes)
  • [File Hash – SHA256] CastleRAT Python samples – 94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a, 4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395
  • [File Hash – SHA256] CastleRAT C samples – 0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6, f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be (and many more)
  • [Domain/URL] Pastebin delivery – https://pastebin[.]com/raw/2wW91TbyCastleLoader – used as a payload or configuration hosting location

Read more: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint