GrayBravo

Also known as: TAG-150, GrayBravo

TAG-150, also known as GrayBravo, is a sophisticated threat actor responsible for developing multiple custom malware families, including CastleLoader and CastleRAT, and operates a large-scale, multi-layered infrastructure. The group employs the ClickFix technique to distribute malware through phishing attacks that impersonate legitimate services, leveraging deceptive domains and fake repositories. Insikt Group has identified four distinct activity clusters associated with TAG-150, each targeting different victim profiles and utilizing unique TTPs.

Introduction

TAG-150, also known as GrayBravo, is a sophisticated threat actor responsible for developing multiple custom malware families, including CastleLoader and CastleRAT, and operates a large-scale, multi-layered infrastructure. The group employs the ClickFix technique to distribute malware through phishing attacks that impersonate legitimate services, leveraging deceptive domains and fake repositories. Insikt Group has identified four distinct activity clusters associated with TAG-150, each targeting different victim profiles and utilizing unique TTPs.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Information pending cataloguing.

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.