A sophisticated threat actor, TAG-150, active since at least March 2025. Characterized by rapid malware development, technical sophistication, and a sprawling multi-tiered infrastructure, TAG-150 has deployed several self-developed families—CastleLoader, CastleBot, and most recently CastleRAT—targeting organizations via phishing campaigns and fraudulent repositories.
TAG-150 first surfaced with CastleLoader, a loader that delivers a diverse set of follow-on payloads, including information stealers and remote access trojans. CastleBot, another loader variant, soon followed.
In early August 2025, Insikt Group documented CastleRAT—a remote access trojan available in both Python and C variants, capable of system reconnaissance, payload download and execution, and remote shell commands.
The C variant further incorporates advanced functions such as keylogging, screen capture, file upload/download, and process termination, reflecting ongoing feature expansions.
Recorded Future’s Insikt Group has uncovered a TAG-150’s infrastructure operates on a four-tier model. Tier 1 consists of victim-facing command-and-control (C2) servers for malware families including CastleLoader, CastleRAT, SectopRAT, and WarmCookie.
These servers, often registered through NameCheap or TUCOWS, are hosted across multiple autonomous systems, with notable providers such as servinga GmbH and FEMO IT Solutions.
Tier 2 comprises VPS intermediaries accessed over RDP and used to stage connections to Tier 1. Tier 3 includes two distinct clusters: a set of VPS servers sharing a TLS certificate and a Russian residential IP communicating via Tox, hinting at possible affiliate or second-operator involvement.
Tier 4 appears to serve as a backup layer, with long-running high-port UDP sessions linking VPS nodes.
Infection Vectors and Victim Profile
TAG-150 primarily employs Cloudflare-themed “ClickFix” phishing attacks and bogus GitHub repositories to lure victims into executing PowerShell commands.
Although overall click-through rates remain modest, nearly 29% of engaged users became infected, underscoring the campaign’s effectiveness.
Recorded Future intelligence indicates targets are predominantly in the United States, spanning private individuals and potentially enterprise networks, though few organizations have publicly acknowledged breaches.
Beyond proprietary malware, TAG-150 leverages various cybercriminal tools and platforms. Insikt Group identified the use of Kleenscan for anti-detection, the Oxen network for secure communications, file-sharing services such as temp.sh and mega.nz, the cryptocurrency swap site simpleswap.io, and underground forums like Exploit Forum.
However, the scope of data has been expanded to include the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or Tor node.
These services enable TAG-150 to host payloads, anonymize traffic, and manage its C2 infrastructure.
Mitigations
To defend against TAG-150, security teams should:
- Block IP addresses and domains linked to CastleLoader, CastleBot, CastleRAT, and other loaders, infostealers, and RATs.
- Monitor and potentially block unusual file-sharing or paste services like Pastebin.
- Deploy YARA, Snort, and Sigma rules covering historical and current malware signatures.
- Implement robust email filtering to intercept phishing lures.
- Monitor for abnormal data exfiltration using network-intelligence platforms.
Appendix A of the Insikt Group report provides a comprehensive list of Indicators of Compromise (IoCs), while Appendices C–E offer detection rules for SIEM and endpoint platforms.
TAG-150’s demonstrated agility and willingness to develop new malware suggest continued expansion of its toolkit.
Insikt Group anticipates further enhancements in stealth and evasion, potentially via advanced anti-detection services.
Given TAG-150’s infrastructure adaptability, there is also a risk of Malware-as-a-Service offerings enabling third-party affiliates to deploy its tools.
Security practitioners should remain vigilant, continuously monitoring TAG-150’s evolving infrastructure and adopting proactive defenses to mitigate the threat posed by this emerging actor. Insikt Group will continue tracking TAG-150’s activities, reporting new developments, and updating detection strategies accordingly.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
