{ "Event": { "analysis": "1", "date": "2026-03-10", "extends_uuid": "", "info": "[Threat Intel] CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security", "protected": false, "publish_timestamp": "1774048950", "published": true, "threat_level_id": "3", "timestamp": "1774048949", "uuid": "3a32e71b-c0ae-446e-a504-8542db2f6cf5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e96364", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Adversary-in-the-Middle - T1557\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#ece0df", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Video Capture - T1125\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"NightshadeC2 (Windows)\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658848", "to_ids": false, "type": "link", "uuid": "f3165bd3-bdc9-45e2-992a-fd207707046f", "value": "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658848", "to_ids": false, "type": "text", "uuid": "7c78a6bc-4a86-456d-8dca-dfc870fb90aa", "value": "A sophisticated infection chain has been discovered that installs CastleRAT malware without leaving traces on disk. The attack uniquely abuses the Deno runtime as a malicious framework, combining social engineering, steganography, and in-memory execution to evade detection. The process involves tricking users into executing a command, installing Deno, running obfuscated JavaScript, and decoding a payload hidden in a JPEG image. CastleRAT then gains total control, performing host fingerprinting, keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance. This campaign demonstrates the evolution of malware towards invisibility and the need for advanced endpoint behavioral monitoring to detect such threats." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658848", "to_ids": false, "type": "text", "uuid": "680a014f-6e06-4b47-9aa6-b56b9a9867f6", "value": "Name: CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security\nAuthor: AlienVault\nAdversary: \nTags: [\"clickfix\", \"social engineering\", \"castlerat\", \"deno\", \"javascript\", \"api abuse\"]\nTgtd countries: []\nMlwr families: [\"CastleRAT\"]\nAttack_ids: [\"T1557\", \"T1033\", \"T1056.001\", \"T1059.007\", \"T1123\", \"T1115\", \"T1082\", \"T1071\", \"T1140\", \"T1555\", \"T1055\", \"T1125\", \"T1016\", \"T1083\", \"T1204\", \"T1027\", \"T1573\", \"T1012\", \"T1059.006\", \"T1027.002\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "CastleRAT C2", "deleted": false, "disable_correlation": false, "timestamp": "1774033698", "to_ids": true, "type": "ip-dst", "uuid": "2c5bd091-c646-4eaa-b6ff-4bc4efee119b", "value": "23.94.145.120", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CastleRAT PE No sample in VT\r\nLast check:21/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774028204", "to_ids": true, "type": "sha256", "uuid": "f5a9c3d4-5e7c-4497-8e8f-c8b52b2b655a", "value": "a4787a42070994b7f1222025828faf9b153710bb730e58da710728e148282e28", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "JS loader C2", "deleted": false, "disable_correlation": false, "timestamp": "1774033720", "to_ids": true, "type": "domain", "uuid": "37b50bbc-c876-4352-8ae9-26e503844948", "value": "serialmenot.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ClickFix C2", "deleted": false, "disable_correlation": false, "timestamp": "1774033741", "to_ids": true, "type": "hostname", "uuid": "503557c7-3344-4c1b-a069-7b5070b52482", "value": "dsennbuappec.zhivachkapro.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Python loader C2", "deleted": false, "disable_correlation": false, "timestamp": "1774033763", "to_ids": true, "type": "ip-dst", "uuid": "79a37771-a1b3-40be-8aba-85af9945ee59", "value": "172.86.123.222", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774033784", "uuid": "bddd13e3-45ed-4975-b01e-18d5ff75349b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774033784", "to_ids": true, "type": "md5", "uuid": "7603393b-6ad8-4582-a6eb-8d9f4f9bb8a5", "value": "ca37e31d651bbd5bbddef3ea716b8b4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774028203", "to_ids": true, "type": "sha1", "uuid": "45270543-fa6a-4f29-b534-a5df539468ce", "value": "de9707a8505683930fccf5536e311242425d420a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774028203", "to_ids": true, "type": "sha256", "uuid": "5d4cf062-32f6-4725-8b4b-1a3241537e66", "value": "bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774027508", "to_ids": true, "type": "ssdeep", "uuid": "ec57e374-a17e-440e-8ed1-17f79dc3cf78", "value": "384:6P7h9nyZJMey3M5UC0qEXdeSo5y8p+e6LrZgd/aI:6P/smeWMmCdXbd/a" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774027508", "to_ids": false, "type": "size-in-bytes", "uuid": "99fc30e0-4c38-4821-9dc9-18801c7aefa6", "value": "23040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774027508", "to_ids": true, "type": "vhash", "uuid": "83e511fd-788e-495f-9795-248a92a2425d", "value": "ba151a36b5229126cd8a0e26f5d18ec0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774027508", "to_ids": true, "type": "filename", "uuid": "99e5a404-01b4-42bc-8ad5-b1699ccc1747", "value": "2353695e.msi" }, { "category": "Other", "comment": "Checked: 21/03/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774027508", "to_ids": false, "type": "text", "uuid": "73e59bbd-625e-4f40-b788-54f81c963b1f", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Wacatac\nVT Total Detection:35/62\nFirst Submission:2026-02-05T14:58:17.000000+00:00\nLast Submission:2026-03-04T14:05:04.000000+00:00" } ] } ] } }