← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
WHITE celestre 2025-09-08 Modified: 2025-10-08
133
IOCs
HIGH VOLUME
Insikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure composed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote access trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely leveraged by TAG-150, including file-sharing platforms, anti-detection services, and others.
sha256as62904corporationwarmcookie c2ip addresscastleloader c2samplesvariant samplesseenas214351futurepython
Indicators of Compromise (50 / 133 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 007f031d4ba5f964136fe73615f524eccdeced5cd7573c281bc1455d5cab2ff6 2025-09-08
FileHash-SHA256 05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8 2025-09-08
FileHash-SHA256 0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6 2025-09-08
FileHash-SHA256 13a5c1a535c161fd2724423dad1dfa6885c705713569d4ed4f2ebf900df25ed7 2025-09-08
FileHash-SHA256 18e535d4a641821c4c212b30d79fcebf3fd42d9831972b40dc262b614a08d114 2025-09-08
FileHash-SHA256 1bb10490d6f13e80d874896428908f6b5758b9722b959841c369c6ddc435230e 2025-09-08
FileHash-SHA256 1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75 2025-09-08
FileHash-SHA256 25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04 2025-09-08
FileHash-SHA256 282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207 2025-09-08
FileHash-SHA256 2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4 2025-09-08
FileHash-SHA256 39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f 2025-09-08
FileHash-SHA256 3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063 2025-09-08
FileHash-SHA256 401b0eb132cacd6e32d4b4af627370288f9f3e59af36ccfd43a501564937f93c 2025-09-08
FileHash-SHA256 4cef6738ef175fa988e9867ca19d2a12f1bf55d2cab07246010833fdb0f4d0f0 2025-09-08
FileHash-SHA256 4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395 2025-09-08
FileHash-SHA256 53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df 2025-09-08
FileHash-SHA256 53dddae886017fbfbb43ef236996b9a4d9fb670833dfa0c3eac982815dc8d2a5 2025-09-08
FileHash-SHA256 58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b 2025-09-08
FileHash-SHA256 5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318 2025-09-08
FileHash-SHA256 60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0 2025-09-08
FileHash-SHA256 6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783 2025-09-08
FileHash-SHA256 65493c28b5991bb8e73d1ceb94b3633137542c422ffc5dfd90801909dd475d58 2025-09-08
FileHash-SHA256 66aac2857eee73b1f5f715214bb50a03c0dc052d4bb3e64d6b0b492f2c85f374 2025-09-08
FileHash-SHA256 67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b 2025-09-08
FileHash-SHA256 6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c 2025-09-08
FileHash-SHA256 7a682be245a2e51f473ee1c60d537e57423ab2c3d9ae990445cdb6e43aeb5c76 2025-09-08
FileHash-SHA256 7e0d097412ca8c3acdbaaa7c1f79c42cda3a4e50b52c0a8b34d6c75cc764ce42 2025-09-08
FileHash-SHA256 85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e 2025-09-08
FileHash-SHA256 88d16948e8cf885d475bc44afa477d2f5b38721e32248425a9e5429c48a4af26 2025-09-08
FileHash-SHA256 8b7c1657f4d5cf0cc82d68c1f1a385adf0de27d46fc544bba249698e6b427856 2025-09-08
FileHash-SHA256 94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a 2025-09-08
FileHash-SHA256 963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d 2025-09-08
FileHash-SHA256 9d356492e433e068c5e71f73638180e3f6a5d992e55ad496a8dafa5174e0a827 2025-09-08
FileHash-SHA256 a2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4 2025-09-08
FileHash-SHA256 a67027c3dec4fc4a5a09c68950f494f631ee6aa42b85dd82d74c5b5399d08d19 2025-09-08
FileHash-SHA256 a97ff41736299857a3cae7c1917456eef5e0fcc703d0a1e475d0b9cfe42452c7 2025-09-08
FileHash-SHA256 ae78caabec6a4241c64357ca5ca05de2e181fe253963de528807bf051fc3608e 2025-09-08
FileHash-SHA256 af88dc52b37022583a6687214bb5e345b606c6a0a3f37cfe41576d89c3d8e65d 2025-09-08
FileHash-SHA256 b0b24ff78ab1c4322764bcb332254069504b168cb8aaca469bdf1d37f313d4d3 2025-09-08
FileHash-SHA256 bf21161c808ae74bf08e8d7f83334ba926ffa0bab96ccac42dde418270387890 2025-09-08
FileHash-SHA256 c2054617b8dcb619749c0402dc31eeb473386b3829f17176bc27b1447a8b6d92 2025-09-08
FileHash-SHA256 ce6a7af556090b3ff762e27058be2327e6c5188d6ed54703d794089f577fd20c 2025-09-08
FileHash-SHA256 d51f81ee026df39447143b67eaf16326c30e0c9477c0d50507f1fbfffe53abd6 2025-09-08
FileHash-SHA256 e62684a48067d8bf5f219f007bb5908301ca3303b9c57a2f0c3212cf0eb8d7b7 2025-09-08
FileHash-SHA256 e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85 2025-09-08
FileHash-SHA256 e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928 2025-09-08
FileHash-SHA256 f0e1963efa5bfa96ae1a1e370fa2c70a044a03279f2fdbf07391c7e08e295e93 2025-09-08
FileHash-SHA256 f2e36ccfeb225009ae229a2be905deff587c471b8d47690dc7f5111e1bc611af 2025-09-08
FileHash-SHA256 f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be 2025-09-08
FileHash-SHA256 f4bdea09e45471612689bd7d76aa5492fb9de69582d3cf5082d585c16e340d4c 2025-09-08
References (1)
↗ https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/