{ "name": "CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security", "slug": "castlerat-attack-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security", "description": "A sophisticated infection chain has been discovered that installs CastleRAT malware without leaving traces on disk. The attack uniquely abuses the Deno runtime as a malicious framework, combining social engineering, steganography, and in-memory execution to evade detection. The process involves tricking users into executing a command, installing Deno, running obfuscated JavaScript, and decoding a payload hidden in a JPEG image. CastleRAT then gains total control, performing host fingerprinting, keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance. This campaign demonstrates the evolution of malware towards invisibility and the need for advanced endpoint behavioral monitoring to detect such threats.", "published": "2026-03-11T10:10:30+00:00", "created_at": "2026-03-11T10:10:30+00:00", "modified_at": "2026-03-16T08:21:15+00:00", "created_at_opencti": "2026-03-11T10:10:30+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-03-11", "api abuse", "castlerat", "clickfix", "deno", "javascript", "social engineering" ], "related_entities": { "observables": [ { "id": "", "name": "23.94.145.120" }, { "id": "", "name": "bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a" }, { "id": "", "name": "a4787a42070994b7f1222025828faf9b153710bb730e58da710728e148282e28" } ], "malware": [ { "id": "52e20e37-891c-400f-bff6-55e57c48abcb", "name": "CastleRAT", "slug": "castlerat" } ], "attack_patterns": [ { "id": "00430919-9257-403b-8a1b-958d4c3613aa", "name": "T1557" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "f48eade0-2f45-4ff7-aa61-8ba887887f81", "name": "T1123" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "269fca28-cdea-40b4-ae42-8246ad31a84a", "name": "T1125" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "f4a450ef-8297-42e5-9e47-01162138baa2", "name": "T1115" } ], "others": [ { "id": "", "name": "dsennbuappec.zhivachkapro.com" }, { "id": "", "name": "serialmenot.com" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/69b14da6cb1bf921c7ac6d22", "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/" ] }