TAG-150 Expands CastleLoader Operations with New CastleRAT in Python and C
September 5, 2025
In a recent development within the cybersecurity landscape, the threat group identified as TAG-150 has introduced a remote access trojan (RAT) named CastleRAT, complementing its existing malware-as-a-service (MaaS) framework known as CastleLoader. This new trojan is available in both Python and C variants, showcasing the group’s ability to innovate within the malware domain. According to insights from Recorded Future’s Insikt Group, CastleRAT primarily focuses on systematically gathering system information, facilitating the downloading and execution of additional malicious payloads, and executing commands through CMD and PowerShell interfaces.
TAG-150 has been active at least since March 2025, leveraging CastleLoader and CastleRAT as initial access tools that enable the subsequent deployment of a range of secondary payloads. These payloads include various types of malware, such as other remote access trojans, information stealers, and additional loaders. The emergence of CastleLoader, also referred to as CastleBot, was first documented by the Swiss cybersecurity firm PRODAFT in July 2025. This malware has been implicated in multiple campaigns distributing known strains such as DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader.
The continued evolution of TAG-150’s capabilities signals a pressing concern for organizations that may become targets of these sophisticated cyber operations. The malware family serves as a conduit for further attacks, emphasizing the importance of understanding the methods employed by such adversaries. The MITRE ATT&CK framework provides useful context for analyzing these tactics, with potential techniques including initial access and command execution being prominent in this threat landscape.
CastleRAT and its associated framework not only enhance TAG-150’s operational capacities but also underline the vulnerabilities inherent in current cybersecurity defenses. As this threat actor continues to refine its methodologies, businesses must remain vigilant and proactive in their cybersecurity strategies. This entails implementing robust detection and response mechanisms to counteract the risks posed by such malware families.
In addition to technological measures, organizations should engage in comprehensive security awareness training. This training equips employees with the knowledge to identify threats and respond effectively, thereby fortifying the organization’s defenses against potential breaches. The evolving nature of threats like CastleRAT illustrates the critical need for businesses to adopt a multifaceted approach to cybersecurity, where technology, training, and awareness converge to offer resilience against increasingly sophisticated adversaries.
As the dialogue around cybersecurity continues to grow, it is essential for business owners to remain informed about emerging threats and to leverage available resources effectively. Understanding the tactics and techniques used by groups like TAG-150 is integral to developing an informed response strategy. By staying abreast of developments in the cybersecurity realm, organizations can better prepare themselves for the challenges that lie ahead.