Netcrook Logo
👤 NEONPALADIN
🗓️ 07 Sep 2025  

Inside the Castle: TAG-150's Secret Malware Empire and the Rise of CastleRAT

A stealthy malware group quietly builds a digital fortress, unleashing new tools that blur the lines between cybercrime and covert operations.

Fast Facts

  • TAG-150, a secretive malware group, operates CastleLoader and the new CastleRAT trojan in Python and C.
  • CastleLoader has been used in over 1,600 attacks, with hundreds of critical victims in the US, including government agencies (PRODAFT, Recorded Future).
  • CastleRAT variants can steal data, log keystrokes, hijack cryptocurrency transactions, and evade detection.
  • Infections spread via fake software, phishing emails, and boobytrapped GitHub repositories, often using Cloudflare-themed “ClickFix” lures.
  • Tightly controlled, TAG-150’s malware is not openly advertised on the dark web, suggesting an exclusive, high-level clientele.

A Digital Castle Built in the Shadows

Imagine a fortress rising not from stone, but from lines of code - each wall, tower, and secret tunnel crafted to keep intruders out and victims in. That’s the world TAG-150 is building. According to reports from Recorded Future and PRODAFT, this elusive cybercrime group has quietly developed a suite of malware tools - most notably CastleLoader and its latest weapon, CastleRAT - turning the digital underworld on its head.

The Anatomy of a Secret Malware Service

CastleLoader first appeared in early 2025 and quickly became a favored tool for cybercriminals seeking easy entry into victims’ systems. Its job: open the door for a parade of digital thieves, from info-stealers like RedLine and DeerStealer to full-fledged backdoors like NetSupport RAT. But CastleLoader was just the beginning. Security analysts from IBM X-Force and eSentire recently uncovered CastleRAT, a custom remote access trojan (RAT) that comes in both Python (“PyNightshade”) and C variants, each with its own bag of tricks.

The C version is the brute: it can log keystrokes, snap screenshots, upload or download files, and even hijack cryptocurrency transactions by replacing wallet addresses on the fly. The Python variant is the ghost - stripped down but stealthy, able to delete itself and slip past most antivirus programs. Both use clever tactics, such as hiding their real command centers behind innocuous Steam Community profiles, and both exploit a Windows Defender loophole that traps users in an endless security prompt until they surrender.

Exclusive Club, Expanding Arsenal

Despite its growing impact, TAG-150 remains almost invisible on the dark web. There are no flashy ads, no public forums hawking their wares. As Recorded Future’s Insikt Group notes, this exclusivity likely keeps law enforcement at bay - and ensures only the most well-connected cybercriminals get access. The result? A malware-as-a-service (MaaS) operation that’s nimble, adaptable, and increasingly dangerous. The group has been linked to ransomware campaigns, including possible ties to the notorious Play Ransomware gang, and shows signs of building an end-to-end criminal toolkit.

Other malware, like TinyLoader and Inf0s3c Stealer, have surfaced alongside CastleRAT, hinting at a broader ecosystem of tools and affiliates. The market for such “custom” malware is surging, with groups like TAG-150 racing to outpace both competitors and defenders by rolling out new features and variants at alarming speed.

Conclusion: The New Rules of Cybercrime

TAG-150’s rise is a lesson in modern cybercrime: move quietly, innovate relentlessly, and keep your secrets close. As their digital arsenal grows, so does the risk to organizations and individuals worldwide. For defenders, it’s a stark reminder that the line between commercial malware and targeted attacks is fading fast - and that today’s digital castle may be tomorrow’s open gate.

WIKICROOK

  • Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
  • Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Clipper Malware: Clipper malware swaps copied cryptocurrency wallet addresses on the clipboard with those of attackers, tricking users into sending funds to cybercriminals.
NEONPALADIN NEONPALADIN
Cyber Resilience Engineer
← Back to news