The threat actor TAG-150 has developed and used CastleLoader and CastleRAT malware to gain initial access, deliver secondary payloads, and conduct espionage activities. These tools leverage phishing and impersonation tactics, employing multi-tiered infrastructure and sophisticated evasion methods. #CastleLoader #CastleRAT #TAG150
Keypoints
- TAG-150 has been active since March 2025, mainly deploying CastleLoader and CastleRAT malware.
- CastleRAT exists in Python and C versions, offering features like remote shell, keystroke logging, and file management.
- The malware infrastructure includes multiple tiers of command-and-control servers, some hosted on Steam profiles and VPS.
- Infections are mainly initiated through phishing campaigns using Cloudflare-themed clickjacks and GitHub impersonation.
- Additional malware families like TinyLoader, TinkyWinkey, and Inf0s3c Stealer have been identified, enhancing the threat actorβs arsenal.
Read More: https://thehackernews.com/2025/09/tag-150-develops-castlerat-in-python.html