A new and highly sophisticated cyber threat actor, known as TAG-150, has emerged on the global stage, wreaking havoc since March 2025 with a suite of custom malware families and an expansive, multi-tiered infrastructure used to compromise organizations and individuals alike.
TAG-150: Advanced Infrastructure and Custom Malware
Research from Insikt Group has unveiled that TAG-150’s infrastructure is meticulously structured in four tiers. This includes victim-facing command-and-control (C2) servers, as well as backup and intermediary layers designed to obfuscate the group’s operations.
These servers facilitate the management and deployment of various malware types, including CastleLoader, CastleBot, and the newly identified CastleRAT, a remote access trojan (RAT) available in both Python and C variants. The initial payloads often serve as gateways for further malicious software, such as SectopRAT, WarmCookie, and several credential-stealing infostealers, thereby maximizing the potential for data exfiltration and internal compromise.
The CastleRAT trojan is particularly noteworthy for its technical sophistication. The Python variant is engineered for stealth, often eluding detection by antivirus solutions. It possesses capabilities to collect system information, download and execute payloads, run CMD and PowerShell commands, and even delete itself to evade further scrutiny.
In contrast, the C variant is even more feature-rich, boasting functionalities such as keylogging, clipboard hijacking, screen capture, file upload/download, persistence mechanisms, and advanced detection evasion techniques. This makes it a formidable tool for remote surveillance and control.
Multi-Layered Attacks and Evasion Tactics
TAG-150’s attack chain typically employs phishing techniques, utilizing fraudulent domains that closely mimic popular platforms or developer libraries, alongside malicious GitHub repositories. Victims are often lured into executing PowerShell commands, which are disguised as legitimate debugging or software update processes.
Upon successful infection, which occurs at a striking rate of 28.7% among interacting victims, the group swiftly pivots to deploying secondary payloads and connecting compromised devices to their network of C2 servers.
To enhance operational security and resist takedown efforts, TAG-150 utilizes privacy-focused services such as Lokinet (Oxen network), file-sharing platforms (Mega.nz, temp.sh), and anti-detection services like Kleenscan. The group’s rapid adaptability is evident in its recent shift to employing Steam Community pages for CastleRAT C2 “dead drops,” as well as its experimentation with encapsulating command protocols within WebSockets.
Infrastructure components are routinely relocated across virtual private servers and residential IP ranges, complicating attribution and mitigation efforts significantly.
Mitigation and Outlook
Experts recommend a proactive approach to counteract TAG-150’s activities. This includes blocking all identified TAG-150 infrastructure, deploying updated Sigma, YARA, and Snort detection rules, filtering suspicious emails, and closely monitoring data exfiltration channels. Given the group’s technical ingenuity and evolving toolkit, security teams must remain vigilant regarding emerging trends in the criminal cyber ecosystem.
Insikt Group assesses that TAG-150 will persist in its innovation, developing new malware families and adopting emerging privacy solutions to sustain its operations while continuing to target organizations globally.
Indicators of Compromise (IoCs)
CastleLoader C2 IP Addresses: 62[.]60[.]226[.]73 62[.]60[.]226[.]211 62[.]60[.]226[.]254 79[.]132[.]130[.]142 80[.]77[.]23[.]48 85[.]158[.]108[.]135 94[.]159[.]113[.]123 |
|---|
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
