A sophisticated new threat actor designated TAG-150 has emerged as a significant cybersecurity concern, demonstrating rapid development capabilities and technical sophistication in deploying multiple self-developed malware families since March 2025.<\/p>\n
The group has successfully created and deployed CastleLoader, CastleBot, and their latest creation, CastleRAT, a previously undocumented remote access trojan that represents a concerning evolution in their operational capabilities.<\/p>\n
The threat actor primarily initiates infections through Cloudflare-themed \u201cClickFix\u201d phishing attacks and fraudulent GitHub repositories masquerading as legitimate applications.<\/p>\n
Victims are deceived into copying and executing malicious PowerShell commands on their own devices, creating a seemingly user-initiated compromise that bypasses traditional security measures.<\/p>\n
Despite limited overall engagement, the campaign achieved a remarkable 28.7% infection rate among victims who interacted with malicious links, demonstrating the effectiveness of their social engineering tactics.<\/p>\n
Recorded Future analysts identified<\/a> an extensive multi-tiered infrastructure supporting TAG-150\u2019s operations, revealing a sophisticated command-and-control architecture spanning four distinct tiers.<\/p>\n The infrastructure includes victim-facing Tier 1 servers hosting various malware families, intermediate Tier 2 servers accessed via RDP, and higher-level Tier 3 and Tier 4 infrastructure used for operational management and backup purposes.<\/p>\n This complex network design suggests advanced operational security awareness and redundancy planning.<\/p>\n The malware ecosystem deployed by TAG-150 serves as an initial infection vector for delivering secondary payloads including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and numerous information stealers such as Stealc, RedLine Stealer, and Rhadamanthys Stealer<\/a>.<\/p>\n This diverse payload delivery capability indicates either a Malware-as-a-Service<\/a> operation or strategic partnerships with other cybercriminal groups.<\/p>\n CastleRAT represents the most technically advanced component of TAG-150\u2019s arsenal, available in both Python and C variants with distinct capabilities.<\/p>\n The malware employs a custom binary protocol utilizing RC4 encryption with hard-coded 16-byte keys for secure communications.<\/p>\n Both variants query the geolocation API ip-api.com to obtain location information through the infected host\u2019s public IP address, enabling geographic targeting and operational intelligence gathering.<\/p>\n The C variant demonstrates significantly enhanced functionality, incorporating keylogging<\/a> capabilities, screen capturing, clipboard monitoring, and sophisticated process injection techniques.<\/p>\n Recent developments include the implementation of C2 deaddrops hosted on Steam<\/a> Community pages, representing an innovative approach to command-and-control communications that leverages legitimate gaming platforms to evade detection.<\/p>\n The malware maintains persistence through registry modifications and employs browser process masquerading for execution, while the Python variant includes self-deletion capabilities using PowerShell commands.<\/p>\n These evasion techniques, combined with the group\u2019s use of anti-detection services like Kleenscan, demonstrate TAG-150\u2019s commitment to operational longevity and stealth.<\/p>\n The post TAG-150 Hackers Deploying Self-Developed Malware Families to Attack Organizations<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj36Rx3hhTYA56MrZObO7B68GIhZCgwb0aNYHN4-0RtfVQHGzW4T8YIF1WHc2yeMtk-hiSepFuE-roB95Ot0gyCo-ucirZIvW2wyIaMdTwnxpZEX-gQ5_5xaYl5aeL2i-CrlSU-VWvTHxWv1Dd5bzuSyuO1qMQ0uvG2-aHfqYdgvsejQyiZvtNY0LRB9FI\/s16000\/Multi-tiered%2520infrastructure%2520linked%2520to%2520TAG-150%2520%28Source%2520-%2520Recordedfuture%29.webp?ssl=1\")
Advanced Persistence and Evasion Mechanisms<\/strong><\/h2>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n