← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
WHITE celestre 2025-09-08 Modified: 2025-10-08
133
IOCs
HIGH VOLUME
Insikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure composed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote access trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely leveraged by TAG-150, including file-sharing platforms, anti-detection services, and others.
sha256as62904corporationwarmcookie c2ip addresscastleloader c2samplesvariant samplesseenas214351futurepython
Indicators of Compromise (32 / 133 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 0580a364ab986b051398a78d089300cf73481e70 SHA1 of 8b7c1657f4d5cf0cc82d68c1f1a385adf0de27d46fc544bba249698e6b427856 2025-09-08
FileHash-SHA1 1666a6f3ea8ed185793c1f0188e25c4761c120d1 SHA1 of ce6a7af556090b3ff762e27058be2327e6c5188d6ed54703d794089f577fd20c 2025-09-08
FileHash-SHA1 1eabc2abf54e6905480d7abd9c5b7314259293fb SHA1 of 13a5c1a535c161fd2724423dad1dfa6885c705713569d4ed4f2ebf900df25ed7 2025-09-08
FileHash-SHA1 2bcab99b0bfe924ef46ac7c8a697b0b601f10179 SHA1 of 6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c 2025-09-08
FileHash-SHA1 2d7a22eca132448be2174c0d2317ef5f6b650a56 SHA1 of 2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4 2025-09-08
FileHash-SHA1 3f94d8fbe3478cafe5b14db43810ce1f508528ee SHA1 of 3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063 2025-09-08
FileHash-SHA1 46101ef44977c8bd3426d410a5f2cf0b25ccf6be SHA1 of c2054617b8dcb619749c0402dc31eeb473386b3829f17176bc27b1447a8b6d92 2025-09-08
FileHash-SHA1 47edb5743df7747fccdcd64421dd64a92f24d1fc SHA1 of 53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df 2025-09-08
FileHash-SHA1 4a4313fa4763b458a21842b5a48f1f45557b1b75 SHA1 of a97ff41736299857a3cae7c1917456eef5e0fcc703d0a1e475d0b9cfe42452c7 2025-09-08
FileHash-SHA1 58226d9853a15ca7f20d81f390fa410eb06dadcb SHA1 of d51f81ee026df39447143b67eaf16326c30e0c9477c0d50507f1fbfffe53abd6 2025-09-08
FileHash-SHA1 6172114e7ebee040b24475ac4a2e136baca2cb17 SHA1 of 282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207 2025-09-08
FileHash-SHA1 634c051e17eec0345f0db57f364741603bd1929f SHA1 of 60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0 2025-09-08
FileHash-SHA1 6cc3c8c15e72d173c00421573378855baec3ceae SHA1 of 05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8 2025-09-08
FileHash-SHA1 861fa0a2edec4b773852029abea4b03ba17f181d SHA1 of 94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a 2025-09-08
FileHash-SHA1 8a07a33bce7f381e17b8bad17454d5409128fdf3 SHA1 of 5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318 2025-09-08
FileHash-SHA1 8e8a76205809bdbf17b0760a001a5aa1a2ac9e74 SHA1 of f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be 2025-09-08
FileHash-SHA1 8f50be4682f83f201551b668d8aa18410fdb9ade SHA1 of 1bb10490d6f13e80d874896428908f6b5758b9722b959841c369c6ddc435230e 2025-09-08
FileHash-SHA1 8fdefd82a3a13e2683481653847a49e1302b64a5 SHA1 of 88d16948e8cf885d475bc44afa477d2f5b38721e32248425a9e5429c48a4af26 2025-09-08
FileHash-SHA1 92937b3cf426964d2deaffc34100c6c5afef06d9 SHA1 of 85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e 2025-09-08
FileHash-SHA1 987b7b137633df23202b259bd702ba8fea00d297 SHA1 of 7a682be245a2e51f473ee1c60d537e57423ab2c3d9ae990445cdb6e43aeb5c76 2025-09-08
FileHash-SHA1 9dc6671610808cbc542c35a9807818bb784c06b3 SHA1 of 39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f 2025-09-08
FileHash-SHA1 a5e1e484c828ee41c409fbcb893d6e4bc66d9821 SHA1 of e62684a48067d8bf5f219f007bb5908301ca3303b9c57a2f0c3212cf0eb8d7b7 2025-09-08
FileHash-SHA1 ae1a8e192b8416b72da711dbd8b32eaf80d788e3 SHA1 of 1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75 2025-09-08
FileHash-SHA1 bbeabb67ac469f9faaeddea575135cdfe81b9a76 SHA1 of 007f031d4ba5f964136fe73615f524eccdeced5cd7573c281bc1455d5cab2ff6 2025-09-08
FileHash-SHA1 c690cf054b0e29ac37bd2ad703e25caa734730fe SHA1 of 53dddae886017fbfbb43ef236996b9a4d9fb670833dfa0c3eac982815dc8d2a5 2025-09-08
FileHash-SHA1 c8c27eb034e01bc4b3d85571556dd178bc30ffa6 SHA1 of f2e36ccfeb225009ae229a2be905deff587c471b8d47690dc7f5111e1bc611af 2025-09-08
FileHash-SHA1 cd5d3c98a7e188da1418ed715a0c6cb30885e545 SHA1 of f0e1963efa5bfa96ae1a1e370fa2c70a044a03279f2fdbf07391c7e08e295e93 2025-09-08
FileHash-SHA1 d1e3a580d2411d1fe1e68d72277d5d5050c79c71 SHA1 of 0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6 2025-09-08
FileHash-SHA1 d7a7c9831ad2f50960b7c42056d4ef2ed28e6d47 SHA1 of a2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4 2025-09-08
FileHash-SHA1 f149d16af6a3e224cdad52a6d57f2b90522ca395 SHA1 of b0b24ff78ab1c4322764bcb332254069504b168cb8aaca469bdf1d37f313d4d3 2025-09-08
FileHash-SHA1 f278f8326aa5d63161d6648b41e1b3b8ba077061 SHA1 of e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928 2025-09-08
FileHash-SHA1 fdda195f3570dcd412db8dc74fb2f804259b331a SHA1 of 58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b 2025-09-08
References (1)
↗ https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/