ThreatDown documented the first known Deno runtime abuse in malware on March 10, 2026. The five-stage operation uses ClickFix social engineering to trick Windows users into loading CastleRAT entirely in memory. Ransomware affiliate Velvet Tempest (DEV-0504) deployed the same CastleRAT tooling in a 12-day intrusion, according to MalBeacon.
The chain begins with ClickFix. The victim visits a compromised webpage showing a bogus browser error or CAPTCHA prompt and pastes a command into the Windows Run dialog. Because the person executes it voluntarily, web security filters and email gateways do not intercept the action. The pasted string downloads a malicious MSI installer (clickzpaqkvba.msi).
The installer does not drop malware directly. It fetches and installs Deno, a legitimate, code-signed JavaScript runtime created by Ryan Dahl (the original author of Node.js). Antivirus engines configured to trust digitally signed software ignore it.
This is the first time we've seen attackers co-opt the Deno runtime in the wild, and it signals a broader shift in how threat actors think about evasion.
— Marco Giuliani, VP and Head of Research, ThreatDown
Deno processes obfuscated JavaScript that contacts a second-stage C2 at serialmenot[.]com. The script then downloads two files. The first is a portable Python environment renamed "Petuhon." The second is a JPEG image named CFBAT.jpg that conceals the encrypted CastleRAT binary via steganography. A PyArmor-protected Python script extracts the hidden binary from the image and injects it into system memory via reflective PE loading. The trojan never touches disk as an executable.
CastleRAT provides full machine control once loaded.
CastleRAT keylogger hooks the Windows SetWindowsHookEx API. The trojan hijacks clipboard content for passwords and cryptocurrency addresses, harvests browser credentials and cookies, and extracts Telegram Desktop and Discord session tokens. It collects SSH keys and activates webcams and microphones through Windows media APIs. Communication goes to C2 at 23[.]94.145.120. Persistence relies on a scheduled task named "VirtualSmokestGuy666" that relaunches the obfuscated Python loader on reboot.
MalBeacon observed Velvet Tempest (DEV-0504) deploying CastleRAT via ClickFix between February 3 and 16, 2026. The 12-day operation targeted a replica U.S. non-profit with 3,000+ endpoints. Velvet Tempest is a five-year ransomware affiliate linked to Ryuk, REvil, Conti, BlackCat/ALPHV, LockBit, and RansomHub. MalBeacon tied the intrusion infrastructure to Termite ransomware staging, though encryption was not observed during the monitoring window.
ClickFix has spread across the ransomware ecosystem in under 12 months. Interlock became the first confirmed ransomware group to adopt ClickFix in April 2025, according to Sekoia. In December 2025, Sophos X-Ops documented a full ClickFix chain ending in Qilin ransomware deployment via stolen Fortinet VPN credentials. Bitdefender reported a surge in LummaStealer infections driven by CastleLoader variants using ClickFix-style CAPTCHA lures in January 2026.
Weaponizing Deno extends "living off the land" from built-in OS tools (PowerShell, mshta, certutil) into the developer toolchain. Traditional LOTL monitoring watches for suspicious use of native Windows binaries. Deno is a third-party runtime with a valid code signature that most EDR policies do not flag. Atos researchers independently found that a ClickFix variant using WebDAV bypassed Microsoft Defender for Endpoint entirely and was caught only through manual hunting on RunMRU registry key patterns.
— Artem Safonov, Threat Analyst at AnonHaven
ThreatDown detects the chain as Trojan.CastleLoader and Trojan.CastleRAT at multiple stages. Published IOCs include C2 domains dsennbuappec[.]zhivachkapro[.]com and serialmenot[.]com, IP addresses 172[.]86.123.222 and 23[.]94.145.120, and file hashes for the MSI dropper and CastleRAT PE binary. Full YARA rules are available from ThreatDown's Threat Intelligence team on request.
Organizations should block Deno on non-developer endpoints via application whitelisting. Create alerts for Deno processes initiating outbound connections to unknown domains. Watch for scheduled tasks pointing to Python scripts in %AppData% or C:\ProgramData. Hunt for RunMRU registry entries indicating Run dialog execution. Train users that legitimate websites never require pasting commands into Windows Run to verify identity.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
