CastleRAT Active Campaign – Threat Overview, Detection, and Mitigation

Aegiron 7 mins0

What is CastleRAT

CastleRAT is a Windows remote access trojan currently being used in the wild to spy on users and quietly maintain long-term access to infected machines. Once it lands, the attacker can see what the user types, what they copy, and what’s happening on their screen. It’s not noisy malware — it’s designed to blend in and stay put.

The malware usually arrives through a small loader known as CastleLoader, which handles the initial compromise and then pulls down CastleRAT as the second stage. CastleRAT exists in both Python-based and compiled C forms, which gives attackers flexibility and helps them evade simple detection methods.

How systems are getting infected

  1. User interaction
    • Victims are lured through phishing emails, chat messages, or fake “verification” and “fix” pages.
    • Many of these pages look legitimate and instruct the user to copy and run a short PowerShell command.
    • Some campaigns use fake repositories or developer tools to appear trustworthy.
  2. CastleLoader stage
    • The PowerShell command launches CastleLoader.
    • CastleLoader performs basic system checks and reaches out to attacker infrastructure.
    • It downloads the real payload without much visible activity.
  3. CastleRAT execution
    • CastleRAT starts running as a Python process or compiled binary.
    • It collects system details (user, host, OS, IP).
    • It opens an encrypted channel back to the attacker and waits for commands.
  4. Persistence and stealth
    • Creates scheduled tasks to survive reboots.
    • Uses UAC bypass techniques when possible.
    • Frequently launches code using rundll32.exe to look like normal Windows behavior.
    • Keeps activity low to avoid user suspicion.

What CastleRAT actually does

Once active, CastleRAT provides full surveillance and control:

  • Records keystrokes
  • Steals clipboard contents (passwords, tokens, crypto addresses)
  • Takes screenshots
  • Executes remote commands
  • Downloads and runs additional payloads
  • Sends stolen data back to the attacker

Traffic to the attacker is encrypted using RC4-style encryption, making the data difficult to inspect without deeper analysis.

Indicators of Compromise (IoCs)

Known C2 IP addresses

CastleRAT-related

  • 34.72.90[.]40
  • 45.61.136[.]181
  • 91.212.166[.]17
  • 94.141.122[.]164
  • 104.225.129[.]171

CastleLoader-related

  • 62.60.226[.]73
  • 107.158.128[.]45
  • 185.212.47[.]84

Any internal host communicating with these addresses should be investigated immediately.

Domains observed in delivery or command-and-control

  • cisco-webexxapp[.]xyz
  • panelv1[.]hostingzealoft[.]today
  • sftp[.]sagargolf[.]com

These domains are designed to look harmless or legitimate.

Network patterns to watch for

  • Outbound traffic over 80, 443, and occasionally 7777
  • Small, repetitive beacon traffic followed by larger data uploads
  • Encrypted payloads that don’t match normal browser TLS behavior

Host-based red flags

  • rundll32.exe executed with odd or unfamiliar arguments
  • Newly created scheduled tasks pointing to user directories:
    • %AppData%
    • %LocalAppData%
    • %Temp%
  • One-line PowerShell commands that:
    • Download content from the internet
    • Decode Base64 or XOR data
    • Execute content directly in memory
  • Processes repeatedly accessing:
    • Clipboard APIs
    • Keyboard input APIs
    • Screen capture functions

Detection queries (practical examples)

Windows Event / EDR – suspicious rundll32 usage

process_name = "rundll32.exe"
AND command_line NOT CONTAINS "System32"

PowerShell execution with encoded or download behavior

process_name = "powershell.exe"
AND (command_line CONTAINS "-enc"
     OR command_line CONTAINS "FromBase64String"
     OR command_line CONTAINS "Invoke-WebRequest"
     OR command_line CONTAINS "iwr")

Scheduled task creation in user context

event_type = "scheduled_task_created"
AND task_path CONTAINS "Users\\"

Clipboard or keystroke monitoring behavior (EDR telemetry)

(api_call = "GetAsyncKeyState"
 OR api_call = "SetWindowsHookEx"
 OR api_call = "GetClipboardData")
AND network_connection = true

Network beaconing to suspicious infrastructure

destination_ip IN (
  "34.72.90[.]40",
  "45.61.136[.]181",
  "91.212.166[.]17",
  "94.141.122[.]164",
  "104.225.129[.]171"
)

How to prevent and contain it

Immediate actions

  • Block listed IPs and domains at firewall, proxy, and DNS layers
  • Isolate affected endpoints
  • Reset credentials used on impacted machines

Endpoint hardening

  • Restrict PowerShell to signed scripts where possible
  • Monitor or limit rundll32.exe usage
  • Prevent execution from user-writable directories
  • Enforce least privilege and remove unnecessary local admin rights

User-side defenses

  • Warn users not to run copied commands from websites
  • Treat “verification” and “fix” pages with extreme caution
  • Encourage fast reporting of suspicious prompts or downloads

Why this campaign works

CastleRAT doesn’t rely on fancy exploits. It succeeds because:

  • It tricks users into doing the work for the attacker
  • It uses built-in Windows tools to stay hidden
  • It keeps noise low and persistence high
  • Infrastructure changes frequently, making simple blocking less effective

Bottom line

CastleRAT is quiet, persistent, and effective. If a user can be convinced to run a command, the attacker can own the system. Detection needs to focus on behavior, not just file hashes, and prevention needs to focus on execution control and visibility.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.