CastleRAT
CastleRAT is a remote access trojan/backdoor first observed in early 2025 and associated primarily with the GrayBravo malware-as-a-service ecosystem, formerly tracked as TAG-150. It has been reported in both Python and compiled C variants; the C build is described as more capable and may include additional features. CastleRAT has been delivered via CastleLoader and through ClickFix-style social engineering, including fake CAPTCHA, verification, login, and software-fix prompts that trick users into pasting malicious commands. Reported infection chains include PowerShell-delivered MSI droppers that install runtimes such as Python or Deno and ultimately load CastleRAT, sometimes in memory. GrayBravo activity has also used Steam Community pages as covert dead-drop/C2 resolvers for CastleRAT infrastructure.
Documented capabilities include system reconnaissance and collection of host identifiers, command execution, remote shell access, file download and execution, further payload deployment, and system data exfiltration. Reported surveillance and theft functions include clipboard monitoring, keylogging, screenshot capture, and theft of browser credentials in the C variant. CastleRAT communications have been described as using RC4-encrypted/custom binary C2 protocols with hard-coded keys, and some reporting notes use of legitimate web platforms as dead-drop locations for secondary configuration and tasking. Persistence has been observed via scheduled tasks configured to relaunch the malware at startup.
CastleRAT has been linked to financially motivated GrayBravo/TAG-150 operations and broader CastleLoader campaigns distributing malware such as StealC, RedLine, Rhadamanthys, MonsterV2, SectopRAT, NetSupport RAT, WarmCookie, and Lumma-related payloads. Multiple reports also describe overlap with Iranian activity: JUMPSEC reported that MuddyWater operated at least two CastleRAT builds against Israeli targets, and a misconfigured C2 server exposed both MuddyWater tooling and TAG-150 CastleRAT samples. This overlap has been assessed as potentially complicating attribution, with CastleRAT detections possibly representing either Russian-speaking criminal MaaS activity or Iranian intelligence collection. Reported targeting includes Israeli targets, and GrayBravo campaigns have targeted sectors such as logistics; other reporting ties CastleLoader/CastleRAT activity to U.S. government agencies, critical infrastructure, IT firms, and logistics companies.
High-confidence indicators and artifacts directly mentioned in the content include use of Steam Community pages as covert C2 resolvers; scheduled-task persistence; querying ip-api[.]com for victim geolocation/network details; and the following CastleRAT-related SHA-256 values published by CYFIRMA: 963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d, f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be, 4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395, and 282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A team of data thieves has doubled down by developing its CastleRAT malware in both Python and C variants. Both versions spread by tricking users into pasting malicious commands through a technique called ClickFix, which uses fake fixes and login prompts.
Installer_v1.21.66.msi was built on February 13, 2026, and contains the 'Amy Cherne' code-signing certificate referenced in research tied to MuddyWater, and Russian cybercrime actors using CastleRAT.
...Velvet Tempest ... used a ClickFix lure ... to drop payloads like DonutLoader and CastleRAT.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques"First Malicious MCP Server Found Stealing Emails in Rogue Postmark-MCP Package"; "Self-Replicating Worm Hits 180+ npm Packages"; "SilentSync RAT Delivered via Two Malicious PyPI Packages"; "Malicious Rust Crates Steal Solana and Ethereum Keys"; "VS Code ... republish deleted extensions"
The ClickFix technique, first spotted last year, uses fake login screens from popular applications and web services, telling the user they have a problem and need to fix it.
Execution
6 techniques...a pair of CastleRAT trojan variants enabling system data exfiltration, command execution, and further payload deployment...
They instruct the operator to open the Windows Run dialog box or PowerShell terminal and cut and paste malware code into the system to "fix" the problem.
Using a fake CAPTCHA verification lure on a phony website promoting a $TEMU airdrop scam to trigger the execution of a PowerShell command that runs arbitrary Python code retrieved from a server.
Both versions spread by tricking users into pasting malicious commands through a technique called ClickFix, which uses fake fixes and login prompts.
The PowerShell command executed after pasting and running the supposed installation command for Claude Code fetches a legitimate Chrome extension package within a malicious HTML Application (HTA) file, which then launches an obfuscated .NET loader for Alien in memory.
CastleRAT TTPs list includes “Execution T1559 Inter-Process Communication,” and describes a “hidden command interface… through redirected inter-process communication pipes.”
Privilege Escalation
1 techniqueCastleRAT TTPs list includes “Privilege Escalation T1548.002… Bypass User Account Control.” MuddyWater also lists T1548.002.
Stealth
3 techniquesBoth will establish a presence and download additional malware via a remote shell, and the Python build can self-delete if necessary.
CastleRAT TTPs list includes “Defense Evasion T1218.011… Rundll32.” MuddyWater also lists “T1218.011… Rundll32.”
The latest iteration supports dynamic AppleScript payloads and in-memory execution to evade static analysis, bypass behavioral detections, and complicate incident response.
Credential Access
1 techniqueDiscovery
2 techniquesBlack Shrantac TTPs list includes “Discovery T1082 System Information Discovery.” CastleRAT describes collecting “system metadata” and lists “Discovery T1082.” MuddyWater lists “Discovery T1082.”
...the C-based iteration, which could facilitate ... file uploads and downloads...
Collection
5 techniquesThe C build is the most adept - capable of harvesting keystrokes, taking screen captures, and registering persistence.
...the C-based iteration, which could facilitate ... screenshot capturing...
...the C-based iteration, which could facilitate ... cryptocurrency clipping...
CastleRAT TTPs list includes “Collection T1125 Video Capture.”
CastleRAT TTPs list includes “Collection T1185 Browser Session Hijacking,” and describes manipulating browser behavior by terminating sessions and silently spawning Chromium instances.
Command and Control
4 techniquesThe criminals use Tox Chat, the encrypted comms service that is becoming the tool favored by some malware operators for command and control
CastleRAT TTPs list includes “T1102.001 Web Service: Dead Drop Resolver,” and describes “leveraging legitimate web platforms as dead-drop locations for secondary configuration and tasking.”
Both will establish a presence and download additional malware via a remote shell
Both will establish a presence and download additional malware via a remote shell
Exfiltration
1 technique...a pair of CastleRAT trojan variants enabling system data exfiltration, command execution, and further payload deployment...
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan referenced in relation to the reused 'Amy Cherne' code-signing certificate tied to MuddyWater and Russian cybercrime actors.
A remote access trojan offered through a Russian malware-as-a-service ecosystem and deployed in this campaign against Israeli targets.
Named malware referenced in relation to CastleLoader and TAG150, but no further detail is provided in the content body.
Remote access trojan used by MuddyWater and described as part of the CastleLoader framework.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.