The Gaming Boardroom

Secretive MaaS Group ‘TAG-150’ Develops Novel ‘CastleRAT’

Steve Tyler Leave a comment

Secretive MaaS Group ‘TAG-150’ Develops Novel ‘CastleRAT’

Summary

Researchers have uncovered a relatively new but effective malware-as-a-service (MaaS) operation labelled TAG-150 that centres on a loader (CastleLoader) and an expanding ecosystem often called CastleBot. The operation has been linked to more than 1,600 distribution events with roughly 470 confirmed infections and disproportionately affects US-based and critical targets.

TAG-150 has developed its own remote access Trojan family, CastleRAT, with two main variants: a feature-rich C version (noisy but capable) and a stealthier Python variant (PyNightshade). Distribution techniques include boobytrapped GitHub repositories, malicious websites, ClickFix-style social engineering, and creative C2 dead drops (notably via Steam communities).

Key Points

  • TAG-150 operates a multifaceted MaaS offering built around CastleLoader/CastleBot and now CastleRAT.
  • Researchers observed ~1,600 campaigns and ~470 successful infections (approx. 28.7% success rate).
  • Victims skew toward US IP space and include a high number of critical organisations and government agencies.
  • CastleRAT exists in two major strains: a C-based variant with many offensive features (clipper, keylogger, screen capture, geolocation) and a Python variant engineered for stealth.
  • The C variant is relatively detectable by generic AV; the Python (PyNightshade) variant evades most engines and includes self-delete and other stealth tactics.
  • Attackers use varied delivery methods: malicious GitHub repos, fake-software sites, ClickFix phishing, and Steam-based C2 dead drops.
  • TAG-150 appears to operate within closed criminal circles rather than advertising on public dark-web forums, suggesting a selective, possibly higher-skilled customer base.
  • Evidence links CastleLoader/CastleRAT deployments to ransomware activity in at least one known Play Ransomware incident.

Content summary

Initial samples surfaced in March, and researchers gradually mapped CastleLoader’s rapid spread. CastleLoader serves as the distribution mechanism for third-party infostealers and the group’s own RATs. The C-based CastleRAT offers broad surveillance and control capabilities but is noisy; researchers found earlier builds even captured fine-grained geolocation and attempted to detect VPNs. The Python variant strips many overt features in favour of stealth, performs C2 dead drops on Steam and can coerce a user to whitelist it in Windows Defender via a looping prompt.

Recorded Future’s Insikt Group and other vendors have highlighted TAG-150’s likelihood of continuing to develop bespoke tooling and expanding distribution, raising the risk that more victims will be reached or that the group will broaden its MaaS customer base.

Context and relevance

Why this matters: TAG-150 illustrates a modern MaaS trend — compact, adaptable toolchains that combine commodity malware with custom RATs and selective distribution among vetted customers. The selective, low-profile marketing model reduces law enforcement visibility while enabling targeted, high-impact campaigns against government and critical infrastructure targets.

Operational relevance for defenders: monitor for unusual GitHub repositories, supply-chain/phishing lures using fake software pages, suspicious Defender exclusion requests or loops, and out-of-band C2 indicators such as Steam community domain usage. EDR/telemetry tuned to persistence changes, DLL/executable downloads, and rapid process-injection behaviours will help detect the noisier C variant; heuristics and anomaly detection better cover stealthy Python builds.

Why should I read this?

Short version: if you look after security for an organisation — particularly one in the public sector or critical infrastructure — this matters. TAG-150 is small, secretive and clever: it mixes mainstream infostealers with its own RATs, uses supply-chain tricks and even gaming platforms for C2. Read the details so you can spot the weird Defender prompts, dodgy GitHub projects, and Steam-domain oddities before they hit your estate.

Author style

Punchy: this is a compact, practical heads-up. The article flags a rapidly evolving MaaS that combines off‑the‑shelf and custom tooling — worth prioritising for detection and hunting playbooks.

Source

Source: https://www.darkreading.com/threat-intelligence/secretive-maas-group-tag-150-novel-castlerat

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.