TAG-150 Hackers Escalate Attacks with Proprietary Malware Families

A sophisticated threat actor, TAG-150, active since at least March 2025. Characterized by rapid malware development, technical sophistication, and a sprawling multi-tiered infrastructure, TAG-150 has deployed several self-developed families—CastleLoader, CastleBot, and most recently CastleRAT—targeting organizations via phishing campaigns and fraudulent repositories.

TAG-150 first surfaced with CastleLoader, a loader that delivers a diverse set of follow-on payloads, including information stealers and remote access trojans. CastleBot, another loader variant, soon followed.

In early August 2025, Insikt Group documented CastleRAT—a remote access trojan available in both Python and C variants, capable of system reconnaissance, payload download and execution, and remote shell commands.

The C variant further incorporates advanced functions such as keylogging, screen capture, file upload/download, and process termination, reflecting ongoing feature expansions.

Recorded Future’s Insikt Group has uncovered a TAG-150’s infrastructure operates on a four-tier model. Tier 1 consists of victim-facing command-and-control (C2 ...