A sophisticated new threat actor designated TAG-150 has emerged as a significant cybersecurity concern, demonstrating rapid development capabilities and technical sophistication in deploying multiple self-developed malware families since March 2025.
The group has successfully created and deployed CastleLoader, CastleBot, and their latest creation, CastleRAT, a previously undocumented remote access trojan that represents a concerning evolution in their operational capabilities.
The threat actor primarily initiates infections through Cloudflare-themed “ClickFix” phishing attacks and fraudulent GitHub repositories masquerading as legitimate applications.
Victims are deceived into copying and executing malicious PowerShell commands on their own devices, creating a seemingly user-initiated compromise that bypasses traditional security measures.
Despite limited overall engagement, the campaign achieved a remarkable 28.7% infection rate among victims who interacted with malicious links, demonstrating the effectiveness of their social engineering tactics.
Recorded Future analysts identified an extensive multi-tiered infrastructure supporting TAG-150’s operations, revealing a sophisticated command-and-control architecture spanning four distinct tiers.
The infrastructure includes victim-facing Tier 1 servers hosting various malware families, intermediate Tier 2 servers accessed via RDP, and higher-level Tier 3 and Tier 4 infrastructure used for operational management and backup purposes.
This complex network design suggests advanced operational security awareness and redundancy planning.
The malware ecosystem deployed by TAG-150 serves as an initial infection vector for delivering secondary payloads including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and numerous information stealers such as Stealc, RedLine Stealer, and Rhadamanthys Stealer.
.webp "TAG-150 Hackers Deploying Self-Developed Malware Families to Attack Organizations 3")
This diverse payload delivery capability indicates either a Malware-as-a-Service operation or strategic partnerships with other cybercriminal groups.
Advanced Persistence and Evasion Mechanisms
CastleRAT represents the most technically advanced component of TAG-150’s arsenal, available in both Python and C variants with distinct capabilities.
The malware employs a custom binary protocol utilizing RC4 encryption with hard-coded 16-byte keys for secure communications.
Both variants query the geolocation API ip-api.com to obtain location information through the infected host’s public IP address, enabling geographic targeting and operational intelligence gathering.
The C variant demonstrates significantly enhanced functionality, incorporating keylogging capabilities, screen capturing, clipboard monitoring, and sophisticated process injection techniques.
Recent developments include the implementation of C2 deaddrops hosted on Steam Community pages, representing an innovative approach to command-and-control communications that leverages legitimate gaming platforms to evade detection.
The malware maintains persistence through registry modifications and employs browser process masquerading for execution, while the Python variant includes self-deletion capabilities using PowerShell commands.
These evasion techniques, combined with the group’s use of anti-detection services like Kleenscan, demonstrate TAG-150’s commitment to operational longevity and stealth.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
