ATT&CK v18 has been released! Check out the blog post or changelog for more information.

CASTLETAP

CASTLETAP is an ICMP port knocking backdoor that has been installed on compromised FortiGate firewalls by UNC3886.^[1]

ID: S1224

ⓘ

Type: MALWARE

ⓘ

Platforms: Network Devices

Version: 1.0

Created: 16 June 2025

Last Modified: 16 June 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	CASTLETAP has the ability to spawn BusyBox command shell in victim environments.^[1]
Enterprise	T1005		Data from Local System	CASTLETAP can execute a C2 command to transfer files from victim machines.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	CASTLETAP can filter and deobfuscate an XOR encrypted activation string in the payload of an ICMP echo request.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	CASTLETAP can receive a 9-byte XOR encrypted activation string in the payload of an ICMP echo request packet.^[1]
		.002	Encrypted Channel: Asymmetric Cryptography	CASTLETAP can initiate a C2 connection over an SSL socket.^[1]
Enterprise	T1105		Ingress Tool Transfer	CASTLETAP can transfer files to compromised network devices.^[1]
Enterprise	T1040		Network Sniffing	CASTLETAP has the ability to create a raw promiscuous socket to sniff network traffic.^[1]
Enterprise	T1205	.002	Traffic Signaling: Socket Filters	CASTLETAP can listen for a specialized ICMP packet for activation on compromised network devices.^[1]

Groups That Use This Software

ID	Name	References
G1048	UNC3886	^[1]

References

Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.