A newly identified cyber threat group known as TAG-150 has quickly established itself as a major security concern. Since March 2025, the group has demonstrated the ability to develop and launch multiple custom-built malware families, showcasing both technical skill and rapid evolution.
Their arsenal includes CastleLoader, CastleBot, and the latest addition CastleRAT, a sophisticated Remote Access Trojan (RAT) that highlights their growing operational maturity.
Infection Tactics
TAG-150 primarily relies on Cloudflare-themed “ClickFix” phishing lures and malicious GitHub repositories disguised as legitimate applications. Victims are tricked into executing malicious PowerShell commands, which creates the illusion of a user-initiated compromise. This approach effectively bypasses many traditional security defenses.
Despite having limited campaigns, the group achieved a 28.7% infection success rate among users who engaged with malicious links, a figure that highlights the effectiveness of their social engineering techniques.
Multi-Tier Infrastructure
Security researchers from Recorded Future uncovered a multi-layered infrastructure designed to support TAG-150’s activities. This network features four distinct tiers, including:
- Tier 1 servers – victim-facing systems hosting malware families
- Tier 2 servers – accessible via RDP for managing infected systems
- Tier 3 and Tier 4 infrastructure – dedicated to operational management and backup redundancy
This structure reflects advanced security awareness, operational redundancy, and strong command-and-control resilience.
The malware delivery system also functions as a launchpad for secondary payloads such as SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and numerous information stealers including Stealc, RedLine Stealer, and Rhadamanthys Stealer. This variety suggests TAG-150 is either running a Malware-as-a-Service (MaaS) operation or collaborating with other cybercriminal groups.
Advanced Malware Capabilities
The most notable tool in TAG-150’s toolkit is CastleRAT, available in Python and C variants, each offering distinct technical features.
- Custom Binary Protocol – uses RC4 encryption with hard-coded 16-byte keys for secure communications.
- Geolocation Intelligence – both variants call the ip-api.com API to collect location data based on public IP addresses.
- Enhanced C Variant – includes keylogging, screen capture, clipboard monitoring, and process injection for stealth.
- Innovative C2 Channels – leverages Steam Community pages as C2 deaddrops, a creative method to evade detection.
- Persistence & Evasion – maintains persistence via registry changes and disguises itself as a browser process.
- Python Variant – capable of self-deletion via PowerShell commands.
To enhance stealth, TAG-150 also uses anti-detection services such as Kleenscan, ensuring prolonged activity while avoiding exposure.
Conclusion
TAG-150’s rapid development, custom malware ecosystem, and innovative evasion techniques make it a high-priority threat. With capabilities that include multi-tiered infrastructure, social engineering-driven infections, and persistent malware, the group is poised to remain a significant cybersecurity challenge.
