Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 16:22:45 UTC
Home > List all groups > List all tools > List all groups using tool CASTLETAP
 Tool: CASTLETAP
Names CASTLETAP
Category Malware
Type Backdoor
Description
(Mandiant) Analysis on the FortiGate firewalls identified an additional malicious file
/bin/fgfm. Analysis of /bin/fgfm determined it to be a passive backdoor, named CASTLETAP,
that listened for a specialized ICMP packet for activation. The threat actor likely named the
file ‘fgfm’ in an attempt to disguise the backdoor as the legitimate service ‘fgfmd’ which
facilitates communication between the FortiManager and FortiGate firewalls.
Once executed, CASTLETAP created a raw promiscuous socket to sniff network traffic.
CASTLETAP then filtered and XOR decoded a 9-byte magic activation string in the payload
of an ICMP echo request packet.
Information Last change to this tool card: 26 August 2024
Download this tool card in JSON format
All groups using tool CASTLETAP
Changed Name Country Observed
APT groups
 UNC3886 2021-Early 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cc32e2b8-7562-4241-929f-450ed69be9cb
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cc32e2b8-7562-4241-929f-450ed69be9cb
Page 1 of 1