Behind the Walls: Techniques and Tactics in Castle RAT Client Malware

    Friday, December 26, 2025 In: Threat Research Print

    Date: 12/26/2025

    Severity: High

    Summary

    Multiple threat groups are deploying a variety of malware to compromise hosts and networks, with CastleRAT emerging as one of the latest payloads observed this year. First identified around March 2025, CastleRAT is a Remote Access Trojan available in two primary variants: a Python-based version and a compiled C version. While both share the same core objectives, they differ in functionality and propagation methods. The Python variant is more lightweight and easier to analyze, whereas the C variant is more robust and supports additional capabilities. 

    Indicators of Compromise (IOC) List

    Hash :

    963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d

    f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be

    4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395

    282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 3 :

    sha256hash IN ("963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d","f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be","4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395","282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207")

    Reference: 

    https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html              


    Tags

    MalwareRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.