{ "id": "4cf8e32c-bbd3-4650-9237-9b6c487d0cf8", "created_at": "2026-04-06T00:15:59.49279Z", "updated_at": "2026-04-10T03:30:57.704051Z", "deleted_at": null, "sha1_hash": "0def6e8889955fe07445886b8402b7c9aa3b5bc9", "title": "[Op Report] CastleRAT Campaign leads to Hands-on-Keyboard ATO Operations — Deception.Pro Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 663109, "plain_text": "[Op Report] CastleRAT Campaign leads to Hands-on-Keyboard\r\nATO Operations — Deception.Pro Blog\r\nBy Jan 7 Written By MalBeacon\r\nPublished: 2001-01-07 · Archived: 2026-04-05 16:20:55 UTC\r\nExecutive Summary\r\nThis Deception.Pro operation captured a multi-stage malware intrusion culminating in hands-on-keyboard\r\n(HoK) activity focused exclusively on account takeover (ATO): not ransomware staging or enterprise lateral\r\nmovement.\r\nThe campaign initiated with a Matanbuchus loader via a malicious MSI, followed by NetSupport RAT,\r\nRemcos RAT, and ultimately CastleRAT (aka NightShadeC2). Rather than enumerating Active Directory or\r\nmoving laterally, the actor exfiltrated browser credentials and used CastleRAT to proxy the replica’s live\r\nbrowser session, attempting logins against financial-institution websites directly from the compromised\r\nworkstation.\r\nThis operation strongly reinforces an emerging pattern: some access brokers and malware operators are\r\nmonetizing endpoints immediately through ATO and fraud, bypassing the traditional “steal creds → sell\r\naccess → ransomware affiliate” pipeline entirely.\r\nEnvironment Overview\r\nReplica Role: Senior Real Estate Portfolio Analyst\r\nIndustry: Real Estate\r\nReplica Organization: Global commercial and residential real estate firm leveraging AI-driven portfolio\r\nanalytics\r\nOperation Duration: ~7 days (Dec 4–Dec 11, 2025)\r\nTimeline of Activity\r\n2025-12-04 20:44:13\r\nInitial infection chain triggered via malicious MSI ( CarrierRegistration.msi ). Embedded Matanbuchus DLL\r\ndownloads additional payloads.\r\nDownloads observed:\r\nTBank231.zip\r\nhttps://blog.deception.pro/blog/castlerat-dec2025-hok-ato\r\nPage 1 of 4\n\nPetuhon.zip\r\nHost: 172.86.123[.]222:80\r\n2025-12-04 20:44:45\r\nNetSupport RAT deployed via DLL sideloading:\r\nPath:\r\nC:\\Users\\USER_REDACTED\\AppData\\Roaming\\Player\\yuh.exe\r\nC2: 88.218.64[.]224:443\r\n2025-12-04 → 2025-12-07\r\nCredential staging and reconnaissance:\r\nBrowser data archived\r\nC2 TLS traffic to diplomitta[.]com (95.164.53[.]39)\r\n2025-12-08 21:46:12\r\nRemcos RAT deployed via DLL sideloading:\r\nPath:\r\nC:\\Users\\USER_REDACTED\\AppData\\Local\\DataFileConverter\\crash-handler-app.exe\r\nC2: 216.126.237[.]122:443\r\nConfirmed via JA3 TLS fingerprinting and malware config extraction\r\n2025-12-08 → 2025-12-08 23:42:06\r\nHands-on-keyboard activity observed:\r\nActor launches Microsoft Edge and Chrome browsers via CastleRAT\r\nLive browser sessions tunneled through CastleRAT\r\nActor attempts logins to financial-institution websites using exfiltrated browser credentials\r\nNo AD enumeration, no lateral movement\r\nIndicators of Compromise (IOCs)\r\nFile Hashes \u0026 Malware\r\nCarrierRegistration.msi\r\nSHA-256:\r\na65336f002b154eab29856ce11d363db89fe8c05bcccc5d0e1611bb355eb0b8d\r\nhttps://blog.deception.pro/blog/castlerat-dec2025-hok-ato\r\nPage 2 of 4\n\nStage-Two Downloads\r\nTBank231.zip\r\nc1ec8c0e0b538ee0c884a077b4dc8cc7e2765cd30ef60350da5d8d52232f1cf7\r\nPetuhon.zip\r\nf6954b64af18386c523988a23c512452fd289e3591218e7dbb76589b9b326d34\r\nMalicious Paths\r\nC:\\Users\\USER_REDACTED\\AppData\\Roaming\\5687ca6915a1f29a\\Update.exe\r\nC:\\Users\\USER_REDACTED\\AppData\\Roaming\\Player\\yuh.exe\r\nC:\\Users\\USER_REDACTED\\AppData\\Local\\DataFileConverter\\crash-handler-app.exe\r\nNetwork IOCs\r\nC2 Infrastructure\r\n216.126.237[.]122:443 — Remcos RAT\r\n88.218.64[.]224:443 — NetSupport RAT\r\n95.164.53[.]39 ( diplomitta[.]com )\r\n172.86.123[.]222 — Matanbuchus payload host\r\nCastleRAT / NightShadeC2 Dead-Drops\r\nSteam profile → tdrdomainnew[.]com ( 207.189.164[.]112 )\r\nSteam profile → secondtdr[.]com ( 62.60.248[.]38 )\r\nhttps://blog.deception.pro/blog/castlerat-dec2025-hok-ato\r\nPage 3 of 4\n\nExample Steam profile page leveraged by CastleRAT as a command-and-control dead-drop\r\nmechanism.\r\nChrome browser history from the replica workstation, capturing websites visited by the threat actor\r\nduring live HoK activity.\r\nSource: https://blog.deception.pro/blog/castlerat-dec2025-hok-ato\r\nhttps://blog.deception.pro/blog/castlerat-dec2025-hok-ato\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.deception.pro/blog/castlerat-dec2025-hok-ato" ], "report_names": [ "castlerat-dec2025-hok-ato" ], "threat_actors": [ { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0def6e8889955fe07445886b8402b7c9aa3b5bc9.pdf", "text": "https://archive.orkl.eu/0def6e8889955fe07445886b8402b7c9aa3b5bc9.txt", "img": "https://archive.orkl.eu/0def6e8889955fe07445886b8402b7c9aa3b5bc9.jpg" } }