
"Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group said."
"Infections are most commonly initiated through Cloudflare-themed 'ClickFix' phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications," Recorded Future said."
"The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems."
TAG-150 developed the CastleLoader MaaS framework and the CastleRAT remote access trojan. CastleRAT is available in Python and C variants and can collect system information, download and execute additional payloads, and run commands through CMD and PowerShell. CastleLoader has been used to deliver remote access trojans, information stealers, loaders, and other secondary payloads. Common infection vectors include Cloudflare-themed ClickFix phishing attacks and fraudulent GitHub repositories masquerading as legitimate applications. TAG-150 maintains a multi-tiered infrastructure composed of Tier 1 victim-facing C2 servers, Tier 2 and Tier 3 VPS-based servers, and Tier 4 backup servers.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]