The cybersecurity landscape continues to evolve as threat actors deploy increasingly sophisticated tools to compromise Windows-based infrastructure.
CastleRAT, a Remote Access Trojan that emerged around March 2025, represents a significant addition to the malware arsenal that defenders must now contend with.
This newly discovered threat demonstrates the convergence of multiple attack techniques, enabling attackers to establish persistent control over compromised systems while remaining largely undetected.
CastleRAT exists in two distinct variants that reflect different development philosophies and operational priorities.
The Python version offers a lightweight, relatively transparent implementation that analysts can dissect more readily, making it helpful in understanding the malware’s core logic and capabilities.
Conversely, the compiled C version prioritizes sophistication and stealth, incorporating additional features that make detection and analysis considerably more challenging.
Both variants maintain identical foundational objectives: establishing remote access, harvesting sensitive data, and maintaining persistence on infected systems.
The malware’s command-and-control communications rely on a deceptively simple but effective encryption mechanism.
CastleRAT employs the RC4 stream cipher with a hardcoded key, enabling seamless encryption and decryption of all traffic flowing between the infected host and the attacker’s infrastructure.
Upon initial contact, the malware performs extensive system reconnaissance, collecting computer names, usernames, machine GUIDs, public IP addresses, and product version information all of which are transmitted to the command-and-control server.
CastleRAT Malware
CastleRAT’s sophistication emerges from its ability to orchestrate multiple concurrent malicious operations through multithreaded architecture.
Each execution thread handles specific attack objectives, creating a distributed payload that operates with considerable autonomy within the compromised process space.
This design pattern enables the malware to perform its various functions simultaneously without triggering the security alerts that might arise from more linear attack sequences.
The malware demonstrates aggressive appetite for sensitive data across multiple channels. Clipboard scraping extracts information that users frequently copy-paste, including credentials, cryptocurrency addresses, and authentication tokens.
Rather than relying on conventional network exfiltration, CastleRAT employs a sophisticated clipboard hijacking technique that simulates paste operations into benign-appearing applications like browsers or chat clients.
This method dramatically reduces network artifacts and blends malicious activity into ordinary user behavior, complicating both real-time detection and forensic analysis.
Screen capture capabilities allow the malware to photograph active desktop content at regular intervals, harvesting sensitive information displayed within user sessions.
Keylogging captures every keystroke, encrypting the captured data with RC4 key before transmitting it to the command-and-control server.
Media capture enumeration identifies webcams and microphones present on the system, enabling audio and video surveillance when the attacker determines such capabilities exist.
Command Execution and Persistence
CastleRAT provides attackers with a remote shell on compromised machines, but implements this capability using anonymous inter-process communication pipes rather than spawning visible shell windows.
This approach creates an invisible interactive environment where commands execute without any observable console window, effectively hiding the attacker’s activities from both the compromised user and security monitoring solutions.
CastleRAT calls MFEnumDeviceSources() API for accessing and enumerating media capture devices (webcams, microphones) via Microsoft’s Media Foundation.
The malware can download and execute arbitrary files from its command-and-control server, effectively enabling the installation of additional tools or malware families.
CastleRAT implements a sophisticated User Account Control bypass that exploits legitimate Windows functionality.
The malware abuses the Appinfo service UUID to request Windows systems launch the trusted binary ComputerDefaults.exe under privileged context.
Through a process known as handle stealing, the malware attaches a debug thread to the elevated process and monitors specific debug events.
When the target process exposes a handle, the malware duplicates it through the NtDuplicateObject API, inheriting the elevated privileges for subsequent malware processes.
Organizations must implement layered detection strategies specifically designed to identify CastleRAT’s characteristic behaviors.
Detection rules should monitor for ComputerDefaults.exe spawning child processes an unusual activity that deviates from normal operating system behavior.
RunDLL32 abuse involving DLL export functions by ordinal value represents another high-fidelity indicator, as this execution pattern rarely occurs in legitimate scenarios.
Browser processes launched with unusual flags such as mute-audio and do-not-elevate warrant immediate investigation, particularly when these processes spawn from unexpected parent executables.
Handle duplication activity targeting known UAC-bypass utilities like ComputerDefaults.exe, Eventvwr.exe, and Fodhelper.exe indicates privilege escalation attempts and should trigger containment protocols.
IOCs
| SHA256 Hash | Description |
|---|---|
| 963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d | CastleRAT C Compiled |
| f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be | CastleRAT C Compiled |
| 4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395 | CastleRAT Python Compiled |
| 282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207 | CastleRAT Python Compiled |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.