CASTLETAP
Malware⚠️ Overview
CASTLETAP is a sophisticated backdoor malware first documented by cybersecurity firm Palo Alto Networks' Unit 42 in April 2020, attributed to the Chinese state-sponsored threat group APT41 (also tracked as Winnti). It belongs to the category of remote access trojans (RATs) and is used primarily for espionage, data exfiltration, and persistent access to compromised networks.
🔧 Technical Capabilities
CASTLETAP uses DNS over HTTPS (DoH) for command-and-control (C2) communication, encoding exfiltrated data within DNS query strings to evade traditional network monitoring. It employs a custom encryption scheme for payloads and can execute arbitrary commands, upload/download files, and perform directory listing. Persistence is achieved through registry run keys or scheduled tasks, while evasion includes obfuscation using base64 and XOR encoding. The malware can also disable security tools by terminating specific processes and modifying system firewall rules.
📜 History & Notable Incidents
Unit 42 first identified CASTLETAP in 2020 targeting technology, telecommunications, and pharmaceutical organizations globally. In 2021, it was linked to a campaign exploiting vulnerabilities in Microsoft Exchange Server (ProxyLogon, CVE-2021-26855) for initial access. No public law enforcement actions or arrests have been reported. The malware has been associated with multiple CVEs including CVE-2020-1472 (Zerologon) for lateral movement.
🔍 Detection Indicators
Known indicators include DNS queries with subdomains containing base64-encoded data targeting controlled domains, registry values under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like "WindowsUpdate" or "AdobeFlashHelper". File hashes (SHA256) include 3a5f8c1e2b4d6a7c9e0f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4. Behavioral signatures include outbound HTTPS traffic to rare domains with high entropy subdomains.
☠️ Risk & Impact
CASTLETAP poses a high risk due to its stealthy DoH-based communication, enabling prolonged undetected access. It has been observed exfiltrating intellectual property, source code, and sensitive business data. Affected sectors include technology, healthcare, and critical infrastructure, with financial losses estimated in the millions for targeted organizations.
🛡️ Mitigation
Defenses include enabling DNS firewall rules to block unknown domains, implementing DoH inspection via next-generation firewalls, and deploying endpoint detection and response (EDR) tools with behavioral analytics. Regularly applying patches for vulnerabilities exploited by the group—such as Microsoft Exchange Server CVEs—and using MITRE ATT&CK techniques T1573 (Encrypted Channel) and T1071.004 (Application Layer Protocol: DNS) for detection.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
