A complicated new risk actor designated TAG-150 has emerged as a big cybersecurity concern, demonstrating fast improvement capabilities and technical sophistication in deploying a number of self-developed malware households since March 2025.
The group has efficiently created and deployed CastleLoader, CastleBot, and their newest creation, CastleRAT, a beforehand undocumented distant entry trojan that represents a regarding evolution of their operational capabilities.
The risk actor primarily initiates infections by Cloudflare-themed “ClickFix” phishing assaults and fraudulent GitHub repositories masquerading as respectable functions.
Victims are deceived into copying and executing malicious PowerShell instructions on their very own gadgets, making a seemingly user-initiated compromise that bypasses conventional safety measures.
Regardless of restricted total engagement, the marketing campaign achieved a exceptional 28.7% an infection fee amongst victims who interacted with malicious hyperlinks, demonstrating the effectiveness of their social engineering techniques.
Recorded Future analysts recognized an in depth multi-tiered infrastructure supporting TAG-150’s operations, revealing a classy command-and-control structure spanning 4 distinct tiers.
The infrastructure consists of victim-facing Tier 1 servers internet hosting numerous malware households, intermediate Tier 2 servers accessed through RDP, and higher-level Tier 3 and Tier 4 infrastructure used for operational administration and backup functions.
This complicated community design suggests superior operational safety consciousness and redundancy planning.
The malware ecosystem deployed by TAG-150 serves as an preliminary an infection vector for delivering secondary payloads together with SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and quite a few data stealers equivalent to Stealc, RedLine Stealer, and Rhadamanthys Stealer.
Multi-tiered infrastructure linked to TAG-150 (Supply – Recordedfuture)
This various payload supply functionality signifies both a Malware-as-a-Service operation or strategic partnerships with different cybercriminal teams.
Superior Persistence and Evasion Mechanisms
CastleRAT represents probably the most technically superior part of TAG-150’s arsenal, out there in each Python and C variants with distinct capabilities.
The malware employs a customized binary protocol using RC4 encryption with hard-coded 16-byte keys for safe communications.
Each variants question the geolocation API ip-api.com to acquire location data by the contaminated host’s public IP handle, enabling geographic focusing on and operational intelligence gathering.
The C variant demonstrates considerably enhanced performance, incorporating keylogging capabilities, display capturing, clipboard monitoring, and complex course of injection strategies.
Latest developments embody the implementation of C2 deaddrops hosted on Steam Group pages, representing an modern strategy to command-and-control communications that leverages respectable gaming platforms to evade detection.
The malware maintains persistence by registry modifications and employs browser course of masquerading for execution, whereas the Python variant consists of self-deletion capabilities utilizing PowerShell instructions.
These evasion strategies, mixed with the group’s use of anti-detection providers like Kleenscan, reveal TAG-150’s dedication to operational longevity and stealth.
Increase your SOC and assist your workforce shield your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
