Researchers reported in early September 2025 that the malware-as-a-service group TAG 150 has strengthened its CastleLoader campaign with a pair of new CastleRAT variants. According to a news brief, these trojans enable system data exfiltration, remote command execution and delivery of additional payloads. The more advanced CastleRAT variant is written in C and expands the scope of the earlier Python‑based PyNightshade by logging keystrokes, capturing screenshots, uploading and downloading files and swapping cryptocurrency addresses to steal funds.
TAG 150’s infrastructure also leverages a stealthy .NET loader that uses UAC prompt bombing to deliver the NightShadeC2 implant and steal browser credentials. Initial access is typically gained through phishing attachments, after which persistence is maintained via registry modifications. Defenders should strengthen email and macro filtering, monitor for unauthorized registry changes, and deploy endpoint detection tools to detect keystroke logging, clipboard tampering and other signs of CastleRAT activity.
Sources:
[1] Nascent CastleLoader operations strengthened with new trojan (SC Media)
redsec.ninja 
Leave a comment