The Malware-as-a-Service (MAAS) framework and the threat actor behind the loader known as CastleLoader have also developed a remote access trojan known as Castlerat.
“The core features of Castlerat available in both Python and C variants consist of collecting system information, downloading and running additional payloads, and running commands via CMD and Powershell,” says a future Insikt Group.
Cybersecurity companies are tracking the threat actors behind the malware family as TAG-150s. Castleloader et al, considered active since at least March 2025, is considered the initial access vector for a wide range of secondary payloads, including remote access trojans, information stolen items, and even other loaders.
Castleloader was first documented in July 2025 by Swiss Cybersecurity Company Prodaft.
Subsequent analysis from IBM X-Force last month found that malware also acts as a conduit for Monsterv2 and WarmCookies through its SEO addiction and GitHub repository, impersonating legitimate software.
“Infections are most commonly initiated through CloudFlare-themed ‘Clickfix’ phishing attacks or malicious Github repositories pose as legitimate applications,” said Future, which was recorded.
“Operators are employing Clickfix techniques by leveraging domains that mimic software development libraries, online meeting platforms, browser update alerts and document verification systems.”
The TAG-150 shows that it has been working with Castle rats since March 2025. Threat actors leverage a multi-tier infrastructure consisting of Tier 1 victim command and control (C2) servers, as well as primarily art private servers (VPS), and tier 4 backup servers, Tier 2 and Tier 3 servers.
The newly discovered and added Castlerat in Arsenal on Tag-150 can download the next stage payload, enable the remote shell function, and even remove it. It also uses the Steam Community Profile as a deaddrop resolver to host the C2 server (“ProgramsBookss”[.]com “).
In particular, there are two versions of Castlerat. One is written in C and programmed in Python, the latter also known as Pynightshade. It’s worth noting that Esentire tracks the same malware under the name Nightshadec2.
Castlerat’s C variant has more features built in, so I recorded keystrokes, captured screenshots, uploaded/downloaded files, acted as a cryptocurrency clipper, and copied it to the clipboard with the aim of redirecting transactions, replacing the wallet address that the attacker copied.
“Like the Python variant, the C variant queries the widely abused IP geolocation service IP-API[.]The recorded Future said “to gather information based on the public IP address of the infected host.”
That said, a recent iteration of the C variant in Castlerat has removed city and zip code queries from IP-API[.]com, shows active development. It is still unknown whether Python counterparts will achieve functional parity.
In its own analysis of NightShadec2, Esentire described it as a botnet deployed by a .NET loader. The Canadian Cybersecurity Company also said it has identified a variant with the ability to extract passwords and cookies from Chromium and Gecko-based web browsers.
In short, this process involves running a PowerShell command in a loop that attempts to add an exclusion to the Windows Defender in the final payload (i.e. NightShadec2).
If exclusions are successfully added, the loader will proceed to deliver the malware. If any other exit code other than 0 is returned, the loop continues to run repeatedly, forcing the user to approve the User Account Control (UAC) prompt.
“A particularly striking aspect of this approach is that systems with Windefend (Windows Defender) services disabled generate non-zero exit code, and malware analysis sandboxes are trapped in the run loop,” Esentire said, adding a way to enable bypassing multiple sandbox solutions.
The development takes place as Hunt.io details another malware loader codenamed TinyLoader, which was used to provide Redline Stealer and DCRAT.
In addition to modifying Windows registry settings to establish persistence, the malware monitors the clipboard and instantly replaces the copied Crypto wallet address. Its C2 panels are hosted in Latvia, the UK and the Netherlands.
“TinyLoader installs both Redline Stealer and Cryptocurrency Stealers to harvest credentials and hijack transactions,” the company said. “It spreads through USB drives, network shares, fake shortcuts and lets users open it.”
The findings are consistent with the discovery of two new malware families, the Windows-based keylogger called TinkyWinkey, and the Python Information Stealer called INF0S3C Steeler, which can collect Keyboard input and collect extensive system information.
Further analysis of INF0S3C steeler has identified similarities between Blank Grabber and Umbral Stealer, and two other publicly available malware families, suggesting that the same author is responsible for all three stocks.
“TinkyWinkey represents a highly capable and stealthy Windows-based keylogger that combines persistent service execution, low-level keyboard hooks and comprehensive system profiling to collect sensitive information,” Cyfirma said.
The INF0S3C Steeler systematically collects system details such as host identifiers, CPU information, and network configuration, and captures screenshots. Enumerates running processes and generates a hierarchical view of user directories such as desktops, documents, photos, downloads, and more. ”
Source link
