TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT.

“Available in both Python and C variants, CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell,” Recorded Future Insikt Group said^[1].

The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders.

CastleLoader was first documented^[2] by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader.

A subsequent analysis from IBM X-Force last month found^[3] that the malware has also served as a conduit for MonsterV2 and WARMCOOKIE through SEO poisoning and GitHub repositories impersonating legitimate software.

“Infections are most commonly initiated through Cloudflare-themed ‘ClickFix’^[4] phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications,” Recorded Future said.

“The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems.”

Evidence indicates that TAG-150 has been working on CastleRAT since March 2025, with the threat actor leveraging a multi-tiered infrastructure comprising Tier 1 victim-facing command-and-control (C2) servers, as well as Tier 2 and Tier 3 servers that are mostly virtual private servers (VPSes), and Tier 4 backup servers.

CastleRAT, the newly discovered addition to TAG-150’s arsenal, can download next-stage payloads, enable remote shell capabilities, and even delete itself. It also uses Steam Community profiles as dead drop resolvers to host C2 servers (“programsbookss[.]com”).

Notably, CastleRAT comes in two versions, one written in C and the other, programmed in Python, with the latter also called PyNightshade. It’s worth noting that eSentire is tracking^[5] the same malware under the name NightshadeC2.

The C variant of CastleRAT incorporates more functionality, allowing it to log keystrokes, capture screenshots, upload/download files, and function as a cryptocurrency clipper to substitute wallet addresses copied to the clipboard with an attacker-controlled one with the aim of redirecting transactions.

“As with the Python variant, the C variant queries the widely abused IP geolocation service ip-api[.]com to collect information based on the infected host’s public IP address,” Recorded Future said. “However, the scope of data has been expanded to include the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or TOR node.”

That said, recent iterations of the C variant of CastleRAT have removed querying of the city and ZIP code from ip-api[.]com, indicating active development. It remains to be seen if its Python counterpart will attain feature parity.

eSentire, in its own analysis of NightshadeC2, described it as a botnet that’s deployed by means of a .NET loader, which, in turn, makes use of techniques like UAC Prompt Bombing^[6] to sidestep security protections. The Canadian cybersecurity company said it also identified variants equipped with features to extract passwords and cookies from Chromium- and Gecko-based web browsers.

In a nutshell, the process involves running a PowerShell command in a loop that attempts to add an exclusion in Windows Defender for the final payload (i.e., NightshadeC2), after which the loader verifies the exit code of the PowerShell process to ascertain if it’s 0 (meaning success).

If the exclusion is successfully added, the loader proceeds to deliver the malware. If any other exit code other than 0 is returned, the loop keeps executing repeatedly, forcing the user to approve the User Account Control (UAC) prompt.

“A particularly notable aspect of this approach is that systems with the WinDefend (Windows Defender) service disabled will generate non-zero exit codes, causing malware analysis sandboxes to become trapped in the execution loop,” eSentire said, adding the method enables a bypass of multiple sandbox solutions.

The development comes as Hunt.io detailed another malware loader codenamed TinyLoader that has been used to serve Redline Stealer and DCRat.

Besides establishing persistence by modifying Windows Registry settings, the malware monitors the clipboard and instantly replaces copied crypto wallet addresses. Its C2 panels are hosted across Latvia, the U.K., and the Netherlands.

“TinyLoader installs both Redline Stealer and cryptocurrency stealers to harvest credentials and hijack transactions,” the company said^[7]. “It spreads through USB drives, network shares, and fake shortcuts that trick users into opening it.”

The findings also coincide with the discovery of two new malware families, a Windows-based keylogger called TinkyWinkey^[8] and a Python information stealer referred to as Inf0s3c Stealer^[9], that can collect keyboard input and gather extensive system information, respectively.

Further analysis of Inf0s3c Stealer has identified points of similarity with Blank Grabber and Umbral-Stealer, two other publicly available malware families, suggesting that the same author could be responsible for all three strains.

“TinkyWinkey represents a highly capable and stealthy Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling to gather sensitive information,” CYFIRMA said.

Inf0s3c Stealer “systematically collects system details, including host identifiers, CPU information, and network configuration, and captures screenshots. It enumerates running processes and generates hierarchical views of user directories, such as Desktop, Documents, Pictures, and Downloads.”