{
  "name": "ClickFix Deno Abuse to CastleRAT",
  "slug": "clickfix-deno-abuse-to-castlerat",
  "description": "Activity began with a ClickFix-style social engineering chain that led to MSI execution, PowerShell staging, and installation/use of Deno to run attacker-controlled JavaScript. Follow-on activity downloaded a portable Python runtime, `install.pyc`, and an encrypted `.MOa` container, which was later decrypted to recover a 64-bit Windows PE payload. Analysis of the recovered payload showed Steam Community being used as a dead-drop resolver for C2, with the profile title resolving to `smokeenew[.]com`, while `ip-api.com` was used for victim network/geolocation profiling. The payload also contained logic for browser/wallet data collection, clipboard/keylogging-related capabilities, Defender exclusions, UAC bypass/relaunch behavior through `ComputerDefaults.exe`, and a C2-tasked mechanism to receive and install an additional `Krutyak.zip` / `usbmmidd_v2` component. Recommendations: Block artifacts where applicable.",
  "published": "2026-06-04T14:40:29+00:00",
  "created_at": "2026-06-04T14:40:29+00:00",
  "modified_at": "2026-06-04T14:40:30+00:00",
  "created_at_opencti": "2026-06-04T14:40:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-06-04"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "162.33.177.16"
      },
      {
        "id": "",
        "name": "http://162.33.177.16/CFBatFIX/7sjVtn0zPVjMZzkxZ.MOa"
      },
      {
        "id": "",
        "name": "http://162.33.177.16/CFBatFIX/install.pyc"
      },
      {
        "id": "",
        "name": "http://webstizkgao.com/v02c4fd90de22ee0677.js"
      },
      {
        "id": "",
        "name": "http://webstizkgao.com/v2c4fd90de22ee0677.js"
      },
      {
        "id": "",
        "name": "c9afa1e8ce84b3af50304b504519a587488658142137cf4bbf85f5780c06f682"
      },
      {
        "id": "",
        "name": "f704a49c0cdaaae4515105bf937e26b5e39b1101c8a0cefaca3959fce7418e9d"
      },
      {
        "id": "",
        "name": "82056127b671583deb500d931ecb893224c34d3b8de66c0959700d55a1bfbbfd"
      },
      {
        "id": "",
        "name": "f1ecb89facb7e31ee9c03278f4106113c0339ff9fc10b1aefe33aaab776e8540"
      },
      {
        "id": "",
        "name": "b04bc0780b2cd11fde488372387f557a87fd473ba546295f5fca7771d5b8a394"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "smokeenew.com"
      },
      {
        "id": "",
        "name": "webstizkgao.com"
      },
      {
        "id": "",
        "name": "nicenicc.com"
      },
      {
        "id": "",
        "name": "lkczkqweca.com"
      },
      {
        "id": "",
        "name": "ibewfszvehhb.lkczkqweca.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6a21aa7db4b7cf1351f27cb6"
  ]
}