Windows Systems Under Attack as Hackers Deploy CastleRAT Malware for Remote Access

Multiple threat groups are deploying a newly discovered remote access trojan (RAT) named CastleRAT to compromise Windows systems and maintain covert control of infected networks.

First detected in March 2025, this malware family stands out for its dual‑build architecture: one version written in Python and another in C.

The Python variant is lightweight and easier to analyze, while the C‑compiled edition is far more capable and designed for stealth and persistence.

According to research by the Splunk Threat Research Team (STRT), both versions of CastleRAT communicate with attacker‑controlled servers using the RC4 stream cipher with a hardcoded encryption key.

Once installed, the malware collects system information, including the computer name, username, machine GUID, public IP address, and product version, and transmits it to its command‑and‑control (C2) server.

This connection allows remote operators to issue further commands, download secondary payloads, or initiate an interactive shell for complete system manipulation.

The C version of CastleRAT is significantly more dangerous because it supports advanced spying features and persistence mechanisms.

The malware can capture screenshots, record keystrokes, scrape clipboard data, and even access webcams and microphones using the Microsoft Media Foundation API.

The Splunk analysis found that CastleRAT exploits legitimate APIs, such as SetWindowsHookEx() to intercept keystrokes and MFEnumDeviceSources() to enumerate media capture devices, before exfiltration.

In some instances, attackers also hijack browsers such as Chrome, Edge, or Brave by launching them with special audio suppression flags like --mute-audio to perform silent monitoring operations without alerting users.

Persistence, Privilege Escalation, and Detection

CastleRAT’s persistence is achieved through scheduled tasks that ensure it restarts after a reboot. The RAT also leverages rundll32.exe to decrypt and load malicious DLL plugins from its server, disguising them as legitimate components.

During analysis, researchers observed the use of masquerading tactics where CastleRAT creates environment variables named after harmless Python or Java modules to conceal its presence in user directories.

A particularly notable feature is its ability to bypass User Account Control (UAC) by abusing the Appinfo service UUID.

This technique allows the malware to launch trusted Windows binaries  ComputerDefaults.exe In a privileged context, duplicate their process handles and inject them into new malware instances with elevated privileges.

Such behavior enables stealthy escalation while leaving minimal forensic evidence.

The Splunk Threat Research Team released 16 detection rules in its CastleRAT analytic story to help defenders identify suspicious behaviors, such as rundll32 executions by ordinal number, unusual browser flags, or handle duplication within known UAC‑bypass binaries.

Security teams can implement these detections through Splunk’s Enterprise Security Content Updates and Security Essentials apps to mitigate the threat before it escalates into a full‑scale compromise.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Windows Systems Under Attack as Hackers Deploy CastleRAT Malware for Remote Access appeared first on Cyber Security News.