The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT.
“Available in both Python and C variants, CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell,” Recorded Future Insikt Group said.
The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders.
CastleLoader was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader.
A subsequent analysis from IBM X-Force last month found that the malware has also served as a conduit for MonsterV2 and WARMCOOKIE through SEO poisoning and GitHub repositories impersonating legitimate software.
“Infections are most commonly initiated through Cloudflare-themed ‘ClickFix’ phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications,” Recorded Future said.
“The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems.”
Evidence indicates that TAG-150 has been working on CastleRAT since March 2025, with the threat actor leveraging a multi-tiered infrastructure comprising Tier 1 victim-facing command-and-control (C2) servers, as well as Tier 2 and Tier 3 servers that are mostly virtual private servers (VPSes), and Tier 4 backup servers.
CastleRAT, the newly discovered addition to TAG-150’s arsenal, can download next-stage payloads, enable remote shell capabilities, and even delete itself. It also uses Steam Community profiles as dead drop resolvers to host C2 servers (“programsbookss[.]com”).
Notably, CastleRAT comes in two versions, one written in C and the other, programmed in Python, with the latter also called PyNightshade. It’s worth noting that eSentire is tracking the same malware under the name NightshadeC2.
The C variant of CastleRAT incorporates more functionality, allowing it to log keystrokes, capture screenshots, upload/download files, and function as a cryptocurrency clipper to substitute wallet addresses copied to the clipboard with an attacker-controlled one with the aim of redirecting transactions.
“As with the Python variant, the C variant queries the widely abused IP geolocation service ip-api[.]com to collect information based on the infected host’s public IP address,” Recorded Future said. “However, the scope of data has been expanded to include the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or TOR node.”
That said, recent iterations of the C variant of CastleRAT have removed querying of the city and ZIP code from ip-api[.]com, indicating active development. It remains to be seen if its Python counterpart will attain feature parity.
eSentire, in its own analysis of NightshadeC2, described it as a botnet that’s deployed by means of a .NET loader, which, in turn, ma…