The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT .

"Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group said .

The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders.

CastleLoader was first documented by Swiss cybersecurity company PR

See Full Page