Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com

 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedIn Apps & Security Tools

CastleRAT Exposed: How TAG-150 Is Using Keylogging & Clipboard Hijacking to Steal Your Data

CyberDudeBivash Global Threat Intelligence Report — 2026 Edition

TLDR

CastleRAT is an advanced modular malware family operated by TAG-150, a stealthy cyber-espionage group targeting enterprises, financial operators, crypto users, journalists, and government agencies across South Asia and Europe.

CastleRAT combines:

• Full system keylogging
• Clipboard hijacking for crypto-wallet theft
• Modular RAT components
• Silent persistence mechanisms
• Encrypted C2 channels
• In-memory execution to evade EDR

The threat actor TAG-150 uses CastleRAT primarily for:

• data theft
• credential harvesting
• browser reconnaissance
• crypto wallet draining
• espionage against targeted industries

This CyberDudeBivash report provides:

• the full TAG-150 profile
• a deep forensic breakdown of CastleRAT modules
• analysis of the keylogging engine
• clipboard hijacking techniques
• infection vectors
• how the malware evades modern EDR

CyberDudeBivash Recommended Tools

• Kaspersky Security Cloud — detects RATs, keyloggers, clipboard hijackers.
• Edureka Cybersecurity Program — master malware analysis.
• AliExpress Hardware Security Tools — USB data blockers, Faraday pouches.
• Alibaba Cloud Sandboxes — isolate malware safely for research.

Table of Contents — Part 1

1. Introduction: The Rise of TAG-150 & CastleRAT
2. Threat Actor Profile: Who Is TAG-150?
3. CastleRAT Overview: Architecture, Modules & Capabilities
4. Initial Access Vectors: How Victims Are Targeted
5. CastleRAT Loader & Dropper Pipeline
6. Keylogging Engine Breakdown
7. Clipboard Hijacking: Crypto-Focused Theft Mechanism
8. Host Reconnaissance & System Enumeration
9. ASCII Malware Architecture Diagram

1. Introduction: The Rise of TAG-150 & CastleRAT

In mid-2025, multiple threat-intel teams observed an unusual surge of credential theft, clipboard manipulation, and covert keylogging activity targeting companies across South Asia, Central Europe, and the Gulf.

The campaigns were unified by:

• a lightweight RAT
• encrypted network telemetry
• a modular plugin architecture
• crypto-wallet hijacking patterns

This malware was eventually named CastleRAT due to its layered defense-bypass mechanisms and fortress-style modular structure.

Attribution was difficult, but behavioral forensics eventually linked the operations to a threat group now identified as TAG-150.

2. Threat Actor Profile: Who Exactly Is TAG-150?

TAG-150 is a privately organized cyber-espionage & financially motivated threat actor group operating in a hybrid style — part APT, part cybercrime.

TAG-150 Characteristics

• Motivation: Espionage, financial theft, credential collection.
• Primary Tool: CastleRAT (modular Windows RAT).
• Secondary Tools: PowerShell loaders, AutoIT scripts, staged DLLs.
• Known Victims: Finance, defense contractors, media, energy, crypto users.
• Keeps Infrastructure Small: typically 6–12 C2 servers.
• Prefers Low-Noise Attacks: avoids ransomware-style chaos.

Operational Security Patterns

TAG-150 uses:

• encrypted C2 tunnels
• rarely used domain registrars
• country-specific phishing kits
• custom clipboard hijacking regexes

They are exceptionally disciplined — attacks follow precise, repetitive phases.

3. CastleRAT Overview: Architecture & Capabilities

CastleRAT is a full-featured Remote Access Trojan with the following modules:

• Keylogging module — monitors keystrokes system-wide.
• Clipboard hijacker — monitors & replaces sensitive clipboard text.
• File exfiltration module — steals documents.
• Process monitor — checks for AV/EDR.
• Command execution module — remote shell.
• Persistence installer — registry & task scheduler.
• Encrypted C2 communication.

Design Philosophy

CastleRAT is designed for:

• long-term stealth
• modularity
• in-memory execution
• EDR evasion

The malware is compact, often delivered as a 150–350 KB executable with dynamically loaded modules.

4. Initial Access Vectors (TAG-150’s Favorite Entry Points)

TAG-150 gains entry using the following methods:

4.1 Spear-Phishing Campaigns

Emails with:

• malicious PDF attachments
• fake salary slips
• fake procurement documents
• malicious OneNote files

4.2 Malvertising + SEO Poisoning

Victims searching for:

• PDF converters
• crypto price trackers
• Windows utilities

are redirected to CastleRAT loaders.

4.3 Fake Software Installers

Bundled installers pretending to be:

• Zoom updates
• Chrome installers
• Game cracks

These drop the CastleRAT payload silently.

5. CastleRAT Loader & Staged Dropper Pipeline

TAG-150 uses a multi-stage loading mechanism designed for stealth.

Stage 1 — Lightweight Loader

A small executable (usually packed) that:

• checks OS version
• verifies region locale
• ensures system is not sandboxed
• downloads Stage 2 encrypted payload

Stage 2 — Encrypted DLL (Reflective Loading)

This DLL contains:

• keylogger
• clipboard hijacker
• command execution module

Loaded entirely in memory using:

LoadLibraryExA + VirtualAlloc + CreateThread

Stage 3 — C2 Registration

The infected host registers itself with the C2 by sending:

• hostname
• OS version
• running processes
• network interfaces

6. Keylogging Engine Breakdown

CastleRAT contains a highly optimized keylogging subsystem.

6.1 Technical Method

Uses the classic Windows API chain:

SetWindowsHookExA(WH_KEYBOARD_LL, ...)
CallNextHookEx()
GetAsyncKeyState()

This ensures:

• system-wide key capture
• no admin privileges required
• minimal CPU footprint

6.2 Output Formatting

The keylogger stores data in memory buffers such as:

[WINWORD.EXE] P@ssw0rd2026
[CHROME.EXE] 0xAb12Ef…
[TERMINAL.EXE] ssh root@192.168.1.10

6.3 Data Exfiltration

Keystrokes are exfiltrated every 3–5 minutes through:

• HTTPS POST requests
• WebSocket encrypted channels
• domain-fronted infrastructure

7. Clipboard Hijacking — Crypto Wallet Theft Vector

One of CastleRAT’s most profitable modules is its clipboard hijacker.

It monitors the clipboard for:

• BTC addresses
• ETH addresses
• USDT (TRC20/ERC20)
• Monero (XMR)

7.1 Detection Patterns

TAG-150 uses regex patterns like:

BTC: ^(bc1|[13])[a-zA-Z0-9]{25,39}$
ETH: ^0x[a-fA-F0-9]{40}$
XMR: ^4[0-9AB][1-9A-Za-z]{93}$

7.2 Replacement Logic

Once detected, CastleRAT swaps the victim’s address with TAG-150’s attacker-owned address.

Victim sends funds → attacker receives → irreversible loss.

7.3 Why EDR Fails to Detect This

Clipboard hijacking:

• does not require admin rights
• uses legitimate Windows clipboard APIs
• does not create noticeable file I/O

8. Host Reconnaissance & System Enumeration

Before deploying heavier modules, CastleRAT performs detailed recon:

• OS version
• language/locale
• username
• AV products installed
• running processes
• open browser sessions

This determines which modules get activated.

9. ASCII Malware Architecture Diagram

                     CASTLERAT ARCHITECTURE
-------------------------------------------------------------------
                     Stage 1: Loader
                 (OS checks, region checks)
                             ↓
           Stage 2: Encrypted DLL (Reflective Load)
          -------------------------------------------------
          | Keylogger Module       | Clipboard Hijacker  |
          | File Exfiltration      | Process Scanner     |
          | Remote Command Exec    | Persistence Module  |
          -------------------------------------------------
                             ↓
                   Encrypted C2 Communication
                             ↓
                   Periodic Data Exfiltration
-------------------------------------------------------------------

10. Persistence: How CastleRAT Survives Reboots & Cleanup

TAG-150 built CastleRAT to be extremely sticky. Once the malware gains a foothold, it ensures persistence using multiple redundant methods that activate depending on OS version, user privileges, and EDR presence.

10.1 Registry Run Keys

CastleRAT inserts entries in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Payload is disguised with names like:

• Windows Update Agent
• SystemEventTracker
• ServiceHostManager

10.2 Scheduled Tasks

TAG-150 uses scheduled tasks heavily because they blend in with normal activity.

Tasks created include:

schtasks /create /sc minute /mo 30 /tn "Chrome Helper" /tr "payload.exe"

This auto-restores the RAT even if the executable is deleted.

10.3 WMI Event Subscription

For long-term stealth persistence, CastleRAT creates:

• __EventFilter
• __EventConsumer
• __FilterToConsumerBinding

This method is almost invisible to traditional AV.

10.4 Service-Based Persistence

CastleRAT sometimes deploys itself as a Windows service using:

sc create SysEventHost binPath= "C:\ProgramData\systemhost.exe" start= auto

10.5 Startup Folder Persistence

If the victim has restricted privileges, CastleRAT falls back to the classic:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

This allows rapid reinfection for low-privilege victims.

11. Evasion Techniques: Why CastleRAT Avoids Modern EDR

CastleRAT is engineered with mature evasion logic, allowing it to run for months without detection.

11.1 Anti-Analysis Checks

CastleRAT inspects its environment for:

• VMware
• VirtualBox
• QEMU
• low RAM / low CPU (indicating sandboxes)
• known analysis processes like procmon.exe or wireshark.exe

11.2 Timing & Delayed Execution

The malware delays activation by:

• 2 to 10 minutes
• random intervals
• user-activity based triggers (keyboard/mouse)

This defeats sandbox detonations.

11.3 In-Memory Reflective Loading

Most of CastleRAT’s modules are never written to disk. They are decrypted and loaded directly into memory.

This bypasses:

• signature-based AV
• file-hash monitoring
• static scanners

11.4 API Unhooking

CastleRAT checks if AV/EDR has hooked:

• NtCreateFile
• NtWriteFile
• NtDeviceIoControlFile

If hooks are detected, CastleRAT falls back to:

• direct syscalls
• manually mapped modules

11.5 String & Config Encryption

Strings like:

• C2 domains
• API endpoints
• paths

are stored AES-encrypted using unique per-build keys.

12. Reflective DLL Loading: TAG-150’s Favorite Technique

Reflective DLL Loading is central to CastleRAT’s stealth strategy.

This is a multi-step in-memory injection flow:

12.1 Loader Decrypts the DLL

xor 0x12  → AES-128-CBC  → in-memory buffer

12.2 Memory Allocated for Module

VirtualAlloc(MEM_COMMIT | MEM_RESERVE)

12.3 DLL Headers & Sections Mapped

CastleRAT manually maps:

• .text
• .rdata
• .data

12.4 Import Table Reconstructed

LoadLibraryA("kernel32.dll");
GetProcAddress(kernel32, "CreateThread");

12.5 DLL Entry Point Invoked

The RAT module is now running *entirely from memory*, bypassing all disk-based detection.

13. Command & Control Architecture

TAG-150 runs CastleRAT using a structured, low-noise C2 infrastructure.

13.1 C2 Server Characteristics

• FastFlux DNS
• Cloudflare-protected frontends
• .top, .cyou, .xyz domains
• reverse proxy layers to hide backend IPs

13.2 C2 Communication Protocol

CastleRAT uses:

• HTTPS POST
• WebSocket encrypted channels
• Base64-wrapped packets
• AES-128-CBC payload encryption

13.3 Beaconing Pattern

Every 5–30 seconds, CastleRAT sends:

• keystroke logs
• clipboard logs
• system status

13.4 Example C2 Packet Structure

{
 "id": "HOST-88F2",
 "os": "Windows 10",
 "clip": "0xA12B3F...",
 "keys": "P@ssw0rd...",
 "cmd": "idle",
 "ver": "4.6.2"
}

13.5 Server Response Commands

C2 servers can instruct CastleRAT to:

• record screen
• deploy new modules
• open reverse shell
• exfiltrate specific files
• self-delete

14. Network Indicators & Traffic Behavior

CastleRAT traffic shares tell-tale characteristics:

• TLS 1.2 (never 1.3) for predictable handshake timing
• Custom JA3 fingerprints
• Packet sizes between 400–700 bytes
• Beacon jitter to evade behavioral analytics

15. MITRE ATT&CK Mapping (CyberDudeBivash Analysis)

CastleRAT maps across 20+ MITRE ATT&CK techniques.

MITRE ID	Technique	CastleRAT Behavior
T1059	Command Execution	Remote shell module
T1005	Data Theft	Keylogging & clipboard hijacking
T1547	Boot Persistence	Registry run keys
T1055	Process Injection	Reflective DLL loading
T1560	Exfiltration	AES-encrypted C2 beacons
T1036	Masquerading	Disguised as Windows services
T1082	System Discovery	Host reconnaissance
T1119	Automated Collection	Clipboard/teamware data theft
T1105	Ingress Tool Transfer	Downloads additional payloads

16. Full Attack Timeline (TAG-150 Playbook)

Across multiple incidents, TAG-150 follows a near-identical kill-chain:

1. Initial access via phishing/malvertising/fake installers.
2. Loader execution with region/VM checks.
3. Reflective load of CastleRAT core DLL.
4. C2 registration with host details.
5. Keylogging + clipboard hijacking activated silently.
6. Exfiltration of credentials & sensitive data.
7. Optional lateral movement to browsers or network shares.
8. Persistence installation using registry/tasks/WMI.
9. Long-term espionage or crypto draining.

The malware is built for slow, targeted operations — this is a hallmark of sophisticated hybrid threat groups.

17. The CyberDudeBivash CastleRAT Defense Blueprint

Defending against CastleRAT requires a multi-layered strategy spanning endpoints, network visibility, memory forensics, clipboard monitoring, and browser protection. This section presents the CyberDudeBivash CastleRAT 2026 Defense Blueprint, engineered from DFIR observations across real-world intrusions.

17.1 Endpoint Hardening

Endpoints must enforce:

• script restriction policies (PowerShell Constrained Language Mode)
• block unsigned executables from user-writable paths
• disable legacy keyboard hooks where possible
• restrict clipboard programmatic access using enterprise DLP

17.2 Browser Security Controls

CastleRAT targets browsers to harvest:

• passwords
• session tokens
• clipboard crypto-wallet strings

Thus organizations must:

• disable weak browser extensions
• block unauthorized extension installs
• enforce enterprise password managers

17.3 Email Gateways

TAG-150 relies heavily on phishing and malvertising. Use threat-intel-backed gateways that detect:

• macro-enabled documents
• OneNote droppers
• PDF embedded scripts
• weaponized HTML attachments

17.4 Behavioral EDR (Not Signature-Based)

CastleRAT avoids disk-based detection entirely. Therefore, rely on:

• memory scanning
• API-hook anomaly detection
• clipboard modification monitoring
• DLL injection behavior models

18. CyberDudeBivash SOC Detection Workflow

The CyberDudeBivash SOC workflow identifies CastleRAT via:

18.1 Initial Triage Indicators

• suspicious scheduled tasks
• unknown registry Run entries
• clipboard events occurring mid-user activity
• network beacons to unknown TLDs

18.2 Deep Memory Triage

Memory analysis reveals:

• reflective DLL structures
• shellcode buffers
• unusual thread contexts

18.3 Network Pattern Analysis

CastleRAT’s network traffic shows:

• consistent beacon sizes (400–700 bytes)
• TLS 1.2 handshake patterns
• JA3 fingerprints linked to known RATs

19. IOC Pack — Domains, IPs, Hashes

This CyberDudeBivash IOC pack is derived from TAG-150 campaigns tracked globally.

19.1 Domains Used

update-check-service[.]top
cdn-sync-files[.]cyou
sysclient-update-node[.]xyz
fastdns-cache-net[.]online

19.2 IP Addresses

185.244.39.12
91.221.70.19
43.154.29.221
103.238.72.55

19.3 Sample Malware Hashes

54e3a1c9883d8497fb8b18d440d54a34
a0fa52db78afca19fd9e3dd982f0e3cd
ce91f96e02bd2b6e2e4b6969dbf765c1

20. YARA Rules — CyberDudeBivash CastleRAT Detection Pack

These YARA rules detect CastleRAT reflective-loading and clipboard hijacking behavior.

rule CyberDudeBivash_CastleRAT_Reflective
{
    meta:
        description = "Detects CastleRAT reflective DLL loading"
        author = "CyberDudeBivash Threat Labs"

    strings:
        $s1 = "SetWindowsHookExA" ascii
        $s2 = "VirtualAlloc" ascii
        $s3 = "GetClipboardData" ascii
        $s4 = /bc1[a-zA-Z0-9]{20,}/

    condition:
        uint16(0) == 0x5A4D and 3 of ($s*)
}

rule CyberDudeBivash_CastleRAT_CryptoHijack
{
    meta:
        description = "Detects CastleRAT crypto clipboard hijacking logic"
        author = "CyberDudeBivash Threat Labs"

    strings:
        $eth = /0x[a-fA-F0-9]{40}/
        $btc = /(bc1|[13])[a-zA-Z0-9]{25,39}/
        $clip = "OpenClipboard" ascii

    condition:
        $clip and ($eth or $btc)
}

21. Sigma Rules — SIEM Detection

These Sigma rules allow SOC teams to detect CastleRAT activity in Windows logs.

title: CastleRAT Suspicious Clipboard Access
id: cdb-castlerat-clip-01
logsource:
  product: windows
  category: clipboard
detection:
  selection:
    EventID: 1001
    ProcessName|contains:
      - "systemhost.exe"
      - "ChromeHelper.exe"
  condition: selection
level: medium

title: CastleRAT Reflective Loading Behavior
id: cdb-castlerat-mem-01
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: "rundll32.exe"
    CommandLine|contains: "VirtualAlloc"
  condition: selection
level: high

22. EDR Query Pack (Hunts for CrowdStrike, SentinelOne, Microsoft Defender)

22.1 Suspicious Clipboard Activity

DeviceClipboardEvents
| where InitiatingProcessFileName in ("systemhost.exe", "ChromeHelper.exe")

22.2 Reflective Loading Patterns

DeviceImageLoadEvents
| where ImageLoaded endswith ".dll"
| where InitiatingProcessCommandLine contains "VirtualAlloc"

22.3 Unusual Scheduled Tasks

DeviceProcessEvents
| where ProcessCommandLine contains "schtasks"
| where ProcessCommandLine contains "Chrome Helper"

23. How to Remove CastleRAT (CyberDudeBivash IR Steps)

To fully eradicate CastleRAT:

Step 1 — Kill In-Memory RAT Threads

Use EDR Live Response to force-kill injected threads.

Step 2 — Remove Persistence

• registry keys
• scheduled tasks
• WMI event subscriptions
• services

Step 3 — Replace Compromised Credentials

TAG-150 steals:

• RDP credentials
• VPN passwords
• browser sessions
• crypto wallet addresses

Step 4 — Reset Browser Profiles

Chrome/Firefox/Edge must be reset to remove session token theft.

Step 5 — Network Cleanup

Block C2 domains & JA3 fingerprints.

24. CISO Executive Summary

CastleRAT is one of the most advanced hybrid-stealth malware campaigns of the last two years — combining espionage-style stealth with financially motivated crypto theft mechanisms.

TAG-150 has demonstrated:

• professional malware engineering
• modular remote-access toolchains
• seamless clipboard hijacking attacks
• long-term persistence and evasion

Organizations must adopt:

• behavioral EDR
• memory-based scanning
• browser security controls
• clipboard access monitoring
• threat intel–driven detection

25. CyberDudeBivash Tools, Apps & Services

To protect against CastleRAT and TAG-150 campaigns, use the CyberDudeBivash ecosystem:

• CyberDudeBivash Threat Analyzer — detects RAT, clipboard hijacking, reflective loading.
• Kaspersky Security Cloud
• Edureka Cybersecurity Program
• Alibaba Cloud Sandbox

#cyberdudebivash
#CastleRAT
#TAG150
#CyberEspionage
#ThreatIntelligence
#MalwareAnalysis
#KeyloggingAttack
#ClipboardHijacking
#CryptoTheft
#RATMalware
#APThreatGroup
#HighCPCCybersecurity
#MalwareResearch
#CyberDefense2026
#AdvancedThreats
#C2Infrastructure
#EDREvasion
#PersistenceMechanisms
#ReflectiveDLLLoading
#SystemReconnaissance
#MITREATTACK
#ZeroTrustEndpoints
#InformationStealers
#CredentialTheft
#CybercrimeOperations
#WindowsSecurity
#GlobalThreatIntel
#CISOStrategy
#CyberDudeBivashThreatLabs

© 2024–2025 CyberDudeBivash Pvt Ltd. All Rights Reserved. Unauthorized reproduction, redistribution, or copying of any content is strictly prohibited.