TAG-150 Develops CastleRAT in Python and C, Enhancing CastleLoader Malware Operations

September 05, 2025
Botnet / Malware

The threat actor behind the malware-as-a-service (MaaS) framework and loader known as CastleLoader has introduced a remote access trojan, CastleRAT. Available in both Python and C versions, CastleRAT primarily functions to collect system information, download and execute additional payloads, and run commands via CMD and PowerShell, according to Recorded Future’s Insikt Group. The cybersecurity firm is monitoring the malicious activities attributed to TAG-150, which is believed to have been operational since at least March 2025. CastleLoader and its variants serve as initial access points for various secondary payloads, including other remote access trojans, information stealers, and additional loaders. CastleLoader (also referred to as CastleBot) was first reported by Swiss cybersecurity firm PRODAFT in July 2025, highlighting its use in campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. Further analysis…

TAG-150 Expands CastleLoader Operations with New CastleRAT in Python and C

September 5, 2025

In a recent development within the cybersecurity landscape, the threat group identified as TAG-150 has introduced a remote access trojan (RAT) named CastleRAT, complementing its existing malware-as-a-service (MaaS) framework known as CastleLoader. This new trojan is available in both Python and C variants, showcasing the group’s ability to innovate within the malware domain. According to insights from Recorded Future’s Insikt Group, CastleRAT primarily focuses on systematically gathering system information, facilitating the downloading and execution of additional malicious payloads, and executing commands through CMD and PowerShell interfaces.

TAG-150 has been active at least since March 2025, leveraging CastleLoader and CastleRAT as initial access tools that enable the subsequent deployment of a range of secondary payloads. These payloads include various types of malware, such as other remote access trojans, information stealers, and additional loaders. The emergence of CastleLoader, also referred to as CastleBot, was first documented by the Swiss cybersecurity firm PRODAFT in July 2025. This malware has been implicated in multiple campaigns distributing known strains such as DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader.

The continued evolution of TAG-150’s capabilities signals a pressing concern for organizations that may become targets of these sophisticated cyber operations. The malware family serves as a conduit for further attacks, emphasizing the importance of understanding the methods employed by such adversaries. The MITRE ATT&CK framework provides useful context for analyzing these tactics, with potential techniques including initial access and command execution being prominent in this threat landscape.

CastleRAT and its associated framework not only enhance TAG-150’s operational capacities but also underline the vulnerabilities inherent in current cybersecurity defenses. As this threat actor continues to refine its methodologies, businesses must remain vigilant and proactive in their cybersecurity strategies. This entails implementing robust detection and response mechanisms to counteract the risks posed by such malware families.

In addition to technological measures, organizations should engage in comprehensive security awareness training. This training equips employees with the knowledge to identify threats and respond effectively, thereby fortifying the organization’s defenses against potential breaches. The evolving nature of threats like CastleRAT illustrates the critical need for businesses to adopt a multifaceted approach to cybersecurity, where technology, training, and awareness converge to offer resilience against increasingly sophisticated adversaries.

As the dialogue around cybersecurity continues to grow, it is essential for business owners to remain informed about emerging threats and to leverage available resources effectively. Understanding the tactics and techniques used by groups like TAG-150 is integral to developing an informed response strategy. By staying abreast of developments in the cybersecurity realm, organizations can better prepare themselves for the challenges that lie ahead.

Source link

Related Posts

SAP S/4HANA Suffers Active Exploitation of Critical Vulnerability CVE-2025-42957

Sep 05, 2025
Vulnerability / Enterprise Security

A serious security flaw in SAP S/4HANA, a popular Enterprise Resource Planning (ERP) system, is currently being exploited in the wild. This command injection vulnerability, designated as CVE-2025-42957 and given a CVSS score of 9.9, was recently addressed by SAP in its monthly updates. According to the NIST National Vulnerability Database (NVD), “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC.” This flaw allows for the injection of arbitrary ABAP code into the system, bypassing critical authorization checks. A successful attack could compromise the entire SAP environment, threatening the confidentiality, integrity, and availability of the system. Attackers could manipulate the SAP database, create superuser accounts with SAP_ALL privileges, extract password hashes, and disrupt business processes.

CISA Urges Immediate Patching of Critical Sitecore Vulnerability Under Active Attack

September 5, 2025
Vulnerability / Threat Intelligence

Federal Civilian Executive Branch (FCEB) agencies are directed to update their Sitecore systems by September 25, 2025, due to a critical security vulnerability, identified as CVE-2025-53690, that is currently being exploited. The vulnerability has a CVSS score of 9.0 out of 10, highlighting its severity. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this flaw affects Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, allowing for deserialization of untrusted data through default machine keys. This presents an opportunity for attackers to execute remote code by exploiting exposed ASP.NET machine keys. Mandiant, a Google-owned cybersecurity firm, reported that the ongoing ViewState deserialization attacks utilized a sample machine key found in Sitecore deployment guides from 2017 and earlier. The threat intelligence team…

“Noisy Bear Campaign Disguised as Phishing Test Revealed Targeting Kazakhstan’s Energy Sector”

Sep 06, 2025 – Malware / Cyber Espionage

A suspected Russian threat actor is behind a series of attacks aimed at Kazakhstan’s energy sector, identified as Operation BarrelFire by Seqrite Labs, which tracks the group as Noisy Bear. Active since at least April 2025, the campaign specifically targets employees of KazMunaiGas (KMG). The attackers delivered a counterfeit document purporting to be from the KMG IT department, mimicking legitimate internal communications and addressing topics like policy updates, certification processes, and salary adjustments. According to security researcher Subhajeet Singha, the infection process starts with a phishing email containing a ZIP file that includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions in both Russian and Kazakh to execute a program named “KazMunayGaz_Viewer.”

⚡ Weekly Update: Drift Breach Unveiled, Active Zero-Days, Patch Alerts, Evolving Threats & More

 
Sep 08, 2025
Cybersecurity / Hacking News

Cybersecurity constantly evolves, with each week bringing fresh threats, vulnerabilities, and crucial lessons for defenders. For security and IT teams, the challenge lies in discerning which risks demand immediate attention. This digest aims to provide a straightforward briefing to help prioritize what matters most.

This week, the notable story is the Salesloft–Drift breach, where attackers compromised OAuth tokens, gaining access to Salesforce data from major tech companies. This incident underscores how fragile integrations can become critical vulnerabilities in enterprise defenses.

Additionally, we’ll discuss several high-risk CVEs currently under active exploitation, the latest strategies of advanced threat actors, and new insights on streamlining security workflows for greater efficiency. Each section delivers essential information, ensuring you stay informed and prepared without being overwhelmed.

Threat of the Week
Salesloft to Take Drift of…