An insidious cybercrime network has come into focus, pivoting around a malware-as-a-service (MaaS) operation known for its sophisticated remote access trojans (RATs). At the heart of this network lies CastleLoader, a malware loader that has been prolific in its deployment, while the overarching infrastructure goes by the moniker CastleBot.
Researchers meticulously dissecting this threat have identified the principal threat actor as TAG-150, active since at least March 2025. The operation’s stealth is remarkable, maintaining an almost invisible presence on dark web marketplaces. TAG-150’s arsenal is spearheaded by CastleRAT, available in both C and Python variants, each offering distinct capabilities tailored for comprehensive infiltration and control of compromised systems.
CastleRAT specializes in harvesting system intelligence, deploying additional payloads, and executing commands through CMD and PowerShell interfaces. Its latest design cleverly leverages Steam Community profiles as dead drop resolvers, discreetly channeling communications back to command-and-control (C2) servers hosted under domains such as “programsbookss[.]com.” This tactic not only obscures the malware’s footprint but amplifies its resilience against conventional detection methods.
The C variant of CastleRAT, the more aggressive of the duo, integrates functionalities such as keystroke logging, screenshot capture, and clipboard hijacking, specifically targeting cryptocurrency wallets. This enables the substitution of genuine wallet addresses with attacker-controlled ones, subtly siphoning digital assets. Moreover, it utilizes the IP geolocation service ip-api[.]com to compile detailed information, though recent updates suggest a strategic retreat from geolocation granularity, possibly to evade detection or analysis.
Conversely, the Python counterpart, known in cybersecurity circles as PyNightshade or NightshadeC2, is engineered with stealth at its core. Its primary functions include downloading executables, running shell commands, and self-erasure mechanisms. Uniquely, both variants exploit a persistent PowerShell loop that coerces users into adding malware exclusions to Windows Defender—a process designed to ensnare malware analysis environments in perpetual loops, thereby evading sandbox detection.
Stay updated with the latest cybersecurity trends and expert research by visiting Cybersurve
TAG-150’s modus operandi has perplexed analysts, particularly due to the absence of any dark web marketplace advertisements or posts, suggesting an invitation-only distribution model within a tight-knit network of affiliates. This exclusivity likely aims to preserve operational security and avoid the scrutiny typical of more prominent MaaS platforms like Lumma.
The operational landscape of TAG-150 extends beyond CastleLoader and CastleRAT. Recent intelligence has spotlighted TinyLoader, another insidious malware loader propagating Redline Stealer and DCRat. TinyLoader emphasizes persistence by manipulating Windows Registry settings and maintains an aggressive posture by monitoring clipboard activity to intercept and modify cryptocurrency wallet addresses. Its C2 infrastructure spans Latvia, the U.K., and the Netherlands, underscoring the international scope of this threat cluster.
Complementing these efforts are emerging malware strains such as TinkyWinkey, a clandestine Windows keylogger designed for persistent service execution and low-level keyboard hooks, and Inf0s3c Stealer, a Python-based information harvester adept at compiling exhaustive system profiles and capturing screenshots. Remarkably, Inf0s3c Stealer bears fingerprints of previously known malware like Blank Grabber and Umbral-Stealer, hinting at a shared authorship.
TAG-150’s ambition appears clear: to develop a comprehensive toolkit capable of seamless integration within the cybercriminal ecosystem. Their approach illustrates a strategic pivot from merely reselling third-party RATs to crafting proprietary malware solutions. This enables not only rapid adaptation to defensive countermeasures but also offers a premium product tailored to sophisticated cybercriminal clientele.
As the digital battleground intensifies, TAG-150’s evolving tactics signal an unsettling trend—a shift toward clandestine, self-reliant operations aimed at maximizing stealth, control, and profitability. The cybersecurity community remains vigilant, aware that the emergence of CastleRAT and its kin is likely just the beginning of a more intricate and pervasive campaign.
