⚠
CastleRAT
rat12 mutex signatures
[BASIC_INFORMATION]
FAMILY_NAME:
CastleRAT
CATEGORY:
RAT
DESCRIPTION:
CastleRAT is a remote access trojan (RAT) developed by TAG-150, available in both Python and C variants. The malware includes functionality for collecting system information, downloading and executing additional payloads, executing commands via CMD and PowerShell, keylogging, screen capturing, and clipboard stealing. CastleRAT uses custom binary protocol with RC4 encryption and queries ip-api.com for geolocation data. The C variant includes more advanced stealing capabilities and uses Steam Community pages for C2 dead drops. Both variants are under active development and have been observed deployed alongside CastleLoader since August 2025.
ALIASES:
PyNightshade
TAGS:
remote_access_trojankeyloggerscreen_captureclipboard_stealercommand_executionpayload_deliveryrc4_encryptionsteam_c2
[MUTEX_SIGNATURES](12)
[MUTEX_01]
BunBubunKLagfsw
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_02]
GoldVekRogerS
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_03]
Thickwick3
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_04]
BabaiMazai
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_05]
KolokolBozhii
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_06]
OaoaPupaa
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_07]
fsAiodwsfSAFuiefS
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_08]
sPEJIOGDsionsgfdUewg
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_09]
FkgfIJGgJgdiJGDGHDjMGjia
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_10]
sdgiregdsssaFWIFS
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_11]
fsAiodwsfSAFuiefS2
ANALYST: @adhikara13 DATE: 2025-12-30
[MUTEX_12]
XmGetzKAM8Bw8NCBTUYo5e
ANALYST: @adhikara13 DATE: 2025-12-30
[QUICK_ACTIONS]
[THREAT_INTELLIGENCE]
ATTRIBUTION:
⚠TAG-150
FIRST_OBSERVED:
2025
[SIGMA_RULE]
[STATISTICS]
MUTEX_COUNT:12
THREAT_ACTORS:1
ALIASES:1
TAGS:8
CATEGORY:RAT
Malware profile loaded successfully