The Two-Faced CastleRAT Trojan: One Version in Python, Another in C for Maximum Damage
One click on a fake GitHub project—and a hacker gains full control over a PC.
One click on a fake GitHub project—and a hacker gains full control over a PC.
The TAG-150 group, which researchers associate with the development of the malicious tool CastleLoader, has expanded its arsenal with a new remote access trojan (RAT) called CastleRAT. This was reported by the Recorded Future Insikt Group team, noting that the malware comes in two variants—one written in Python and another in C.
CastleRAT is capable of gathering system information, downloading and executing additional modules, and running commands via CMD and PowerShell. The Python version is also known as PyNightshade, while the C variant has a broader set of functions. It logs keystrokes, takes screenshots, uploads and downloads files, and also acts as a crypto-clipper, replacing cryptocurrency addresses copied to the clipboard with ones controlled by the attackers. To gather information about the victim, both versions use the service ip-api[.]com to query data about the public IP address. While the Python variant is limited to basic parameters, the C version previously also collected the city and postal code, and determined whether a VPN, proxy, or TOR node was being used. In newer builds, some of these features have been removed, indicating ongoing active development.
According to Recorded Future, TAG-150 has been operating since at least March 2025. CastleLoader, first described by PRODAFT in July of the same year, was used to deliver numerous secondary payloads: DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. Later, IBM X-Force noted that MonsterV2 and WARMCOOKIE were also distributed via CastleLoader—their delivery occurred through SEO poisoning of search results and fake GitHub repositories impersonating legitimate software.
Initial infection is most often carried out through phishing attacks disguised as Cloudflare, using the ClickFix technique, or via fake projects on GitHub. ClickFix variants exploit domains masquerading as developer libraries, video conferencing platforms, "browser update" notifications, and document verification services.
TAG-150's infrastructure is built in multiple tiers: Tier 1 includes C2 servers communicating with victims; Tiers 2 and 3 are primarily represented by virtual private servers (VPS); and Tier 4 is reserved for backups. CastleRAT also uses covert communication mechanisms: instances have been recorded of using Steam Community profiles as "dead drop" solutions to indicate command-and-control (C2) server addresses, one of which had the domain programsbookss[.]com.
The Canadian company eSentire, which analyzed the same tool under the name NightshadeC2, described it as a botnet distributed via a .NET loader. This loader employs techniques to bypass Windows defense mechanisms, including UAC Prompt Bombing. When PowerShell is launched, a loop attempts to add an exception for the final module in Windows Defender. If the process returns code 0, it signifies a successful exception addition, and the loader then delivers the payload. Otherwise, the loop repeats, forcing the user to confirm UAC prompts over and over again. This method simultaneously hinders the operation of research sandboxes: if the Windows Defender service is disabled, the return code is non-zero, and the system gets stuck in an infinite loop. This allows it to evade security solutions and analyzers.
Additionally, eSentire noted that some variants of NightshadeC2 contain tools for extracting passwords and cookies from Chromium and Gecko-based browsers. This makes the malware even more dangerous for data theft.
Amid the discovery of CastleRAT, reports have emerged about other new loaders and trojans. Hunt.io described TinyLoader—a tool used to install Redline Stealer and DCRat. TinyLoader persists in the system through Windows registry modifications, monitors the clipboard, and instantly replaces cryptocurrency addresses. Its control panels are hosted on servers in Latvia, the UK, and the Netherlands. It is distributed via infected USB drives, network shares, and fake shortcuts.
Simultaneously, two other malware strains were detected. The first is the TinkyWinkey keylogger for Windows, which combines persistence via system services, low-level keyboard hooking, and the collection of detailed system information. The second is the Python-based Inf0s3c Stealer, which gathers information about the host, CPU, network configuration, takes screenshots, checks active processes, and builds a hierarchy of user directories, including Desktop, Documents, Pictures, and Downloads. Analysis of Inf0s3c Stealer revealed similarities with public projects like Blank Grabber and Umbral-Stealer, suggesting a possible common author.
Collectively, these findings demonstrate the rapid growth of the Malware-as-a-Service (MaaS) ecosystem. CastleLoader and CastleRAT form the foundation for a whole series of attacks, paving the way for the distribution of stealers, RATs, and other loaders. At the same time, new projects like TinyLoader, TinkyWinkey, and Inf0s3c Stealer are emerging, highlighting the active development of the shadow market for malicious tools.
