Behind the Walls: Techniques and Tactics in Castle RAT Client Malware
Summary:
CastleRAT is a remote access trojan (RAT) that was first identified in March 2025. Two different variants of CastleRAT have been observed to date: one written in Python and another that is a C compiled version. While both versions share core functionality, the C build is more powerful and includes additional features, enabling attackers to gather extensive system information, maintain persistent C2 communication via RC4 encryption, and execute additional payloads.
CastleRAT provides capabilities such as remote command execution, DLL plugin loading, screen capture, clipboard scraping, browser session hijacking, keylogging, and webcam/microphone enumeration, allowing operators to conduct deep surveillance and control over infected hosts.
Beyond basic RAT features, CastleRAT employs several techniques to evade detection and escalate privileges. The trojan can silently manipulate clipboard data for covert exfiltration, spawn hidden shells using inter‑process communication pipes, hijack browser processes, and maintain persistence through scheduled tasks. The malware also uses dead‑drop resolvers hosted on legitimate services and abuses UAC bypass techniques to gain administrative privileges.
Security Officer Comments:
CastleRAT’s ability to collect detailed system information, such as usernames, machine IDs, and IP addresses, allows attackers to profile their targets and exfiltrate valuable data. Its remote shell feature provides full control over infected machines, enabling attackers to run arbitrary commands, download additional payloads, and move laterally within a network. The ability to hijack clipboard data, log keystrokes, capture screenshots, and even record audio/video through compromised devices makes CastleRAT an effective tool for espionage and data theft. Moreover, its stealthy persistence mechanisms, such as scheduled tasks, UAC bypass, and dead‑drop resolvers, help ensure that CastleRAT can maintain long-term access while minimizing detection, making it ideal for attackers aiming to conduct espionage, financial fraud, or further infiltrate a victim’s environment.
Suggested Corrections:
No specific initial distribution vector has been specified for CastleRAT. However, CastleRAT likely ends up on victim systems via the employment of phishing messages, malicious software downloads hosted on sites, or through the exploitation of vulnerable internet‑facing systems. In general, users should be careful not to click on attachments in emails or messages from unknown senders, download software from official vendor sites, make sure systems are up to date, and have antivirus solutions in place to detect trojans like CastleRAT.
Link(s):
https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html
CastleRAT is a remote access trojan (RAT) that was first identified in March 2025. Two different variants of CastleRAT have been observed to date: one written in Python and another that is a C compiled version. While both versions share core functionality, the C build is more powerful and includes additional features, enabling attackers to gather extensive system information, maintain persistent C2 communication via RC4 encryption, and execute additional payloads.
CastleRAT provides capabilities such as remote command execution, DLL plugin loading, screen capture, clipboard scraping, browser session hijacking, keylogging, and webcam/microphone enumeration, allowing operators to conduct deep surveillance and control over infected hosts.
Beyond basic RAT features, CastleRAT employs several techniques to evade detection and escalate privileges. The trojan can silently manipulate clipboard data for covert exfiltration, spawn hidden shells using inter‑process communication pipes, hijack browser processes, and maintain persistence through scheduled tasks. The malware also uses dead‑drop resolvers hosted on legitimate services and abuses UAC bypass techniques to gain administrative privileges.
Security Officer Comments:
CastleRAT’s ability to collect detailed system information, such as usernames, machine IDs, and IP addresses, allows attackers to profile their targets and exfiltrate valuable data. Its remote shell feature provides full control over infected machines, enabling attackers to run arbitrary commands, download additional payloads, and move laterally within a network. The ability to hijack clipboard data, log keystrokes, capture screenshots, and even record audio/video through compromised devices makes CastleRAT an effective tool for espionage and data theft. Moreover, its stealthy persistence mechanisms, such as scheduled tasks, UAC bypass, and dead‑drop resolvers, help ensure that CastleRAT can maintain long-term access while minimizing detection, making it ideal for attackers aiming to conduct espionage, financial fraud, or further infiltrate a victim’s environment.
Suggested Corrections:
No specific initial distribution vector has been specified for CastleRAT. However, CastleRAT likely ends up on victim systems via the employment of phishing messages, malicious software downloads hosted on sites, or through the exploitation of vulnerable internet‑facing systems. In general, users should be careful not to click on attachments in emails or messages from unknown senders, download software from official vendor sites, make sure systems are up to date, and have antivirus solutions in place to detect trojans like CastleRAT.
Link(s):
https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html