Recorded Future’s Insikt Group has uncovered a new threat actor, dubbed ‘TAG-150’, active since at least March 2025. The group is notable for its technical sophistication, rapid development cycle, and ability to quickly adapt to public reporting.
TAG-150 maintains a large and complex infrastructure, including both victim-facing Tier 1 servers used to control various malware and multi-layered backend servers for support and resilience. The group has deployed several likely self-developed malware families, including CastleLoader, CastleBot, and the recently discovered CastleRAT, a remote access trojan (RAT) capable of gathering system data, executing commands, and deploying additional malware.
TAG-150’s attacks are commonly launched through Cloudflare-themed phishing campaigns and fake GitHub repositories, tricking users into executing malicious PowerShell commands. Despite relatively low engagement with these links, nearly 29% of victims who clicked became infected, the report said.
The group leverages several third-party services, including file-sharing platforms, anti-detection services like Kleenscan, and Pastebin for command delivery. The CastleRAT malware has been observed in both Python and C variants.
Although TAG-150’s operation shares similarities with Malware-as-a-Service (MaaS) models, such as the deployment of multiple malware families and the use of admin panels, Insikt Group has found no direct evidence of MaaS advertising in underground forums. Network data shows limited external communication, mainly through Tor, suggesting a mostly self-contained operation with potential affiliates.