• ThreatDown’s EDR team discovered a sophisticated, multi-stage attack chain during an active investigation; the first documented case of attackers abusing the Deno runtime as a malware execution framework
• The attack installs CastleRAT entirely in memory by hiding the encrypted payload inside a JPEG image, bypassing traditional antivirus engines that rely on disk-based file scanning
• Because Deno is legitimate, code-signed developer software, activity within the runtime may be trusted by security tools that focus primarily on detecting malicious files written to disk

SANTA CLARA, Calif.: ThreatDown, the corporate business unit of Malwarebytes, today published research documenting what researchers believe to be the first documented case of attackers abusing the Deno JavaScript runtime as a malware execution framework. The attack was uncovered by ThreatDown’s Endpoint Detection and Response (EDR) team.

The multi-stage infection chain ultimately installs CastleRAT, a remote access Trojan capable of credential theft, surveillance and remote command execution. The malware executes entirely in system memory and never appears on disk as a traditional executable file.

The campaign highlights an evolution in attacker tradecraft. Rather than relying on malicious binaries, the attackers leveraged Deno-a legitimate, code-signed JavaScript runtime widely used by developers-to execute obfuscated scripts that retrieve additional payloads. Because the activity occurs inside a trusted process, traditional antivirus tools that rely on file-based scanning may fail to detect it.

Threat actors have long abused built-in operating system tools in “living-off-the-land” attacks, but the use of a developer runtime like Deno represents a new expansion of that technique.

“This is the first time we’ve seen attackers co-opt the Deno runtime in the wild, and it signals a broader shift in how threat actors think about evasion,” said Marco Giuliani, Vice President, Head of Research at ThreatDown. “Deno is legitimate software that security products trust. By exploiting that trust, attackers can execute malicious code in ways many endpoint defenses aren’t designed to monitor.”

The research was led by Lorenzo Corazzi, Malware Research Engineer at ThreatDown.

How the Attack Works

ThreatDown’s research details a multi-phase infection chain designed for maximum stealth. The attackers employ a three-step process to bypass traditional endpoint defenses:

• Phase 1: Social Engineering via “ClickFix.” The attack begins with a ClickFix lure-a fake browser error or CAPTCHA prompt that instructs the user to copy and paste a command. This effectively bypasses web security filters because the user voluntarily executes the initial script themselves.
• Phase 2: First-of-Its-Kind Deno Abuse The initial script silently downloads and installs Deno, a legitimate, widely used and code-signed JavaScript runtime. By using Deno as a Trojan horse to execute obfuscated code, the attack inherits the privileges of trusted processes and evades behavioral alarms.
• Phase 3: Steganography and In-Memory Execution The attackers hide the encrypted final payload inside a seemingly innocuous JPEG image. A disguised script decodes the image and injects the malware directly into system memory. The payload never touches the hard drive as an executable file, rendering traditional file-scanning antivirus engines useless.

CastleRAT Capabilities: Total Machine Control

Once established in memory, CastleRAT takes total control of the compromised machine. Hiding behind legitimate processes, the malware leverages advanced abuse of low-level Windows APIs to conduct devastating espionage. Key capabilities include:

• Total Espionage & Cryptocurrency Theft: Silent keylogging and clipboard hijacking to steal credentials, passwords and cryptocurrency wallet addresses.
• Audio/Video Surveillance: Covert initialization of the victim's webcams and microphones for real-time monitoring.
• Invisible Backdoors: Anonymous communication pipes that grant attackers full remote access with no visible console window, coupled with persistence mechanisms to survive system reboots.

ThreatDown detects and blocks this attack chain at multiple stages, identifying its components as Trojan.CastleLoader and Trojan.CastleRAT. Rather than relying on file-based scanning, ThreatDown's behavioral monitoring analyzes anomalies in process execution and severs communication with command-and-control servers before data is stolen.

Security teams can find indicators of compromise and the full technical analysis on the ThreatDown blog: CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security. To learn more about the latest threats and cybersecurity strategies for businesses and the channel, visit threatdown.com or follow ThreatDown on LinkedIn and X.

FAQs

How are attackers using legitimate developer tools to bypass endpoint security?

In what ThreatDown researchers identify as an industry first, this campaign installs the Deno JavaScript runtime and uses it as a Trojan horse to execute obfuscated malicious scripts. Because the code runs inside a process the operating system trusts, it inherits elevated privileges and full system access without triggering antivirus alerts. The technique represents a new category of “living off the land” attack that extends beyond built-in OS utilities to third-party developer frameworks.

What is fileless malware, and why can’t traditional antivirus software detect it?

Fileless malware operates entirely in system memory without writing executable files to disk. In this CastleRAT campaign, the payload is encrypted inside a JPEG image using steganography, then decoded and injected into memory through a technique called reflective PE loading. Because traditional antivirus engines detect threats by scanning files on disk, they never see malware payloads that exist only in memory.

How can organizations detect attacks that never write a file to disk?

Traditional antivirus software relies on scanning files saved to the hard drive, which means fileless threats like CastleRAT are invisible to those defenses. Detection requires endpoint behavioral monitoring that analyzes how processes behave at runtime, flagging anomalies like a trusted developer tool attempting in-memory injections or establishing unexpected command-and-control communications. ThreatDown’s MDR team discovered this attack chain through exactly that approach, identifying suspicious behavior before the attackers could achieve their objectives.

About ThreatDown

ThreatDown, the corporate business unit of Malwarebytes, is a leader in endpoint security simplicity. Fueled by world-class threat research, proprietary AI engines, and a legacy of eliminating threats others miss, ThreatDown is recognized by MRG Effitas, AVLab Cybersecurity Foundation, and G2 as a leader in threat detection and response. Our powerful, efficient, and easy-to-use solutions protect people, devices, and data-within minutes. The company is headquartered in California with offices in Europe and Asia.

Fonte: Business Wire