Sophisticated CastleRAT Backdoor Uses Steam Community Pages as Covert C2 Resolver for Espionage

A sophisticated new Remote Access Trojan (RAT) has emerged, blending stealthy execution with powerful data theft capabilities to compromise enterprise networks. Dubbed CastleRAT, the malware was first identified by the Splunk Threat Research Team (STRT) around March 2025 and is being actively used by multiple threat groups to target hosts and networks.

While two variants exist—Python and C—the C-compiled version has been flagged as the more dangerous threat due to its advanced stealth features and expanded capabilities.

CastleRAT operates with a clear objective: silently infiltrate, harvest data, and maintain persistent access. The C-compiled variant is particularly concerning because it “tends to be stealthier and may include extra capabilities such as keystroke capture, screen grabs, or more persistent installation methods”.

Unlike its Python counterpart, which is easier to inspect, the C build is designed to evade detection while executing complex tasks. It communicates with its Command-and-Control (C2) server using a “simple RC4 algorithm, with a hardcoded key for both encryption and decryption,” masking its traffic from basic network monitoring tools.

The infection typically begins with the malware gathering detailed reconnaissance data. “This CastleRAT client gathers basic system details from a compromised host, including the computer name, username, machine GUID, Product name, and uses the free web service www[.]ip-api[.]com to obtain the public IP”. This information is then beaconed back to the attacker, signaling a successful breach.

Once established, CastleRAT deploys several advanced techniques to entrench itself and steal data:

• Clipboard Hijacking: The malware monitors and steals clipboard content, targeting credentials and cryptocurrency wallet addresses.
• Screen Capture: A dedicated background thread “periodically captures screenshots of the active desktop,” allowing attackers to visually spy on user activity.
• Browser Session Hijacking: CastleRAT can kill a running browser and relaunch it with specific flags (e.g., –mute-audio, –do-not-de-elevate) to monitor or control the session without alerting the user.
• UAC Bypass: To escalate privileges, the malware abuses the “Appinfo service UUID to ask Windows to launch a trusted binary (ComputerDefaults.exe) under a privileged context,” effectively bypassing User Account Control (UAC).

To hide its C2 infrastructure, CastleRAT leverages legitimate services. The report highlights its use of Steam Community pages as “benign-looking dead-drop resolvers”. Attackers post encoded instructions on these public profiles, which the malware retrieves to find its next C2 server, blending malicious traffic with normal web browsing activity.

The STRT has released a set of detections mapped to MITRE ATT&CK techniques to help defenders identify this threat. Key indicators include:

• Unusual outbound connections to IP geolocation services or Steam Community pages.
• Unexpected binaries appearing in user folders (e.g., %AppData%).
• Suspicious process behavior, such as ComputerDefaults.exe spawning unexpected child processes or browsers launching with unusual command-line flags.

Related Posts:

• From CastleLoader to CastleRAT: TAG-150’s Multi-Tiered Cyber Arsenal Expands
• New MaaS Operator TAG-150 Uses ClickFix Lure and Custom CastleLoader to Compromise 469 US Devices
• Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
• Windows Update Is Causing Unexpected UAC Prompts and App Installation Issues