Ethical Hacking News
The threat actor behind CastleLoader has developed a new remote access trojan called CastleRAT, which can download next-stage payloads, enable remote shell capabilities, and even delete itself. This development highlights the growing importance of network visibility and monitoring in the fight against MaaS frameworks.
CastleRAT is a remote access trojan (RAT) developed by TAG-150, a threat actor behind the malware-as-a-service framework CastleLoader. The malware offers a platform for attackers to launch various types of attacks, including remote access trojans, information stealers, and other loaders. CastleRAT has multiple variants in Python and C, with the latter being more feature-rich. The malware uses a multi-tiered infrastructure comprising command-and-control servers to communicate with infected hosts. CastleRAT can download next-stage payloads, enable remote shell capabilities, and even delete itself. The development of CastleRAT highlights the growing importance of network visibility and monitoring in the fight against MaaS frameworks.
The world of cybersecurity is constantly evolving, with new threats emerging on a daily basis. In recent times, one threat actor has caught the attention of experts and researchers alike - TAG-150. The group behind the malware-as-a-service framework and loader called CastleLoader, TAG-150 has now developed a remote access trojan (RAT) known as CastleRAT.
CastleRAT is available in both Python and C variants, with the latter being more feature-rich than its Python counterpart. According to Recorded Future Insikt Group, the core functionality of CastleRAT consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell. The malware's primary purpose is to provide a platform for attackers to launch various types of attacks, including remote access trojans, information stealers, and other loaders.
TAG-150 has been tracking the development of CastleRAT since March 2025, with the threat actor leveraging a multi-tiered infrastructure comprising Tier 1 victim-facing command-and-control (C2) servers, as well as Tier 2 and Tier 3 servers that are mostly virtual private servers (VPSes), and Tier 4 backup servers. The malware's communication channels are highly sophisticated, with CastleRAT utilizing Steam Community profiles as dead drop resolvers to host C2 servers.
One of the most notable aspects of CastleRAT is its ability to download next-stage payloads, enable remote shell capabilities, and even delete itself. Furthermore, CastleRAT can query various services, including ip-api[.]com, to collect information based on the infected host's public IP address. However, recent iterations of the C variant have removed querying of the city and ZIP code from ip-api[.]com, indicating active development.
The development of CastleRAT is part of a broader trend in malware-as-a-service (MaaS) frameworks. These platforms allow attackers to create, distribute, and manage malware without having to possess advanced programming skills or knowledge of the underlying infrastructure. MaaS frameworks have become increasingly popular among cybercriminals due to their ease of use and flexibility.
In addition to CastleRAT, TAG-150 has also developed other malware loaders, including TinyLoader, which has been used to serve Redline Stealer and DCRat. These malware loaders can establish persistence by modifying Windows Registry settings and spread through USB drives, network shares, and fake shortcuts that trick users into opening them.
The rise of CastleRAT and other MaaS frameworks is a cause for concern among cybersecurity experts. As these platforms become increasingly sophisticated, they pose significant challenges to traditional security measures. Furthermore, the use of Steam Community profiles as dead drop resolvers by CastleRAT highlights the growing importance of maintaining robust network visibility and monitoring capabilities.
In conclusion, the development of CastleRAT represents a significant milestone in the evolution of MaaS frameworks. As these platforms continue to advance, it is essential for cybersecurity experts and organizations to stay vigilant and adapt their security measures accordingly.
The threat actor behind CastleLoader has developed a new remote access trojan called CastleRAT, which can download next-stage payloads, enable remote shell capabilities, and even delete itself. This development highlights the growing importance of network visibility and monitoring in the fight against MaaS frameworks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Growing-Menace-of-CastleRAT-A-Comprehensive-Analysis-of-TAG-150s-Latest-Malware-Development-ehn.shtml
https://thehackernews.com/2025/09/tag-150-develops-castlerat-in-python.html
https://cyberwebspider.com/blog/the-hacker-news/tag-150-develops-castlerat-in-python-and-c-expanding-castleloader-malware-operations/
Published: Fri Sep 5 11:15:32 2025 by llama3.2 3B Q4_K_M
