EXECUTIVE SUMMARY
CastleRAT is a remote access tool used by several threat groups to compromise hosts by deploying Python and C-compiled variants that behave similarly but differ in strength and flexibility. The Python version is lighter and easier to inspect, while the C version offers extra functions for stealth and deeper system interaction. Researchers observed that both versions use a simple RC4 routine with a hardcoded key to communicate with a command server. Once active on a host, CastleRAT collects basic details such as the computer name, username, machine GUID, public IP address, and system information before sending them externally. It can then download files, execute them, run commands remotely, and carry out follow-up actions ordered by the operator. The C variant also adds features such as keylogging, clipboard theft, screen capture, and browser manipulation, making it more capable of monitoring user activity while blending in with normal system behavior.
CastleRAT performs a range of actions designed to collect data, control the host, and remain hidden. It gathers clipboard content through multiple threads and sends it to the operator and can hijack paste operations to move stolen data quietly. The malware uses RC4-encrypted communication to receive additional DLL plugins, which it loads through rundll32. It disguises internal activity by setting environment variables that mimic components from trusted software. Keylogging is handled through a separate thread that records keystrokes, encrypts the data, and exfiltrates the output. Remote commands are executed through anonymous pipes, giving operators an invisible shell. CastleRAT also kills and restarts browsers with special flags to reduce alerts, enumerates media devices for possible video capture, registers scheduled tasks for persistence, and captures screenshots from the active desktop. It can contact external pages acting as dead-drop resolvers and uses handle-stealing patterns to bypass user account control. These combined behaviors give attackers extensive control.
CastleRAT combines surveillance, remote control, and stealth in a single tool that can remain active for long periods. Its system discovery, RC4-based communication, and thread-driven data theft allow attackers to manage infected hosts quietly. The C variant strengthens these abilities with clipboard hijacking, keylogging, browser control, screenshot capture, and media device probing. These functions help operators monitor user activity without creating obvious signs of intrusion. CastleRAT also relies on scheduled tasks, rundll32-based plugin loading, disguised environment variables, and dead-drop resolvers to stay persistent and extend its functions. More advanced behaviors like anonymous pipe shells, muted browser relaunching, and handle-stealing for privilege elevation reduce the visibility of the malware and make investigation harder. By translating these behaviors into detection rules, defenders can flag anomalies such as unusual browser flags, suspicious rundll32 activity, clipboard misuse, and hidden shell behavior. Understanding how these techniques work together helps analysts track the malware’s actions and support response and containment.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Execution | T1559 | Inter-Process Communication | — |
| Persistence | T1053 | Scheduled Task/Job | — |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Defense Evasion | T1036 | Masquerading | — |
| T1218.011 | Signed Binary Proxy Execution | Rundll32 | |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1115 | Clipboard Data | — |
| T1056.001 | Input Capture | Keylogging | |
| T1185 | Browser Session Hijacking | — | |
| T1125 | Video Capture | — | |
| T1113 | Screen Capture | — | |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| T1102.001 | Web Service | Dead Drop Resolver |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| Defense Evasion | F0015 | Hijack Execution Flow |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Command and Control | B0030 | C2 Communication |
| Collection | F0002 | Keylogging |
| E1113 | Screen Capture | |
| Discovery | E1082 | System Information Discovery |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Lateral Movement | E1105 | Ingress Tool Transfer |
REFERENCES:
The following reports contain further technical details: