The CastleRAT malware campaign represents a novel and sophisticated threat leveraging the Deno JavaScript runtime environment as a malicious framework to evade detection by traditional security solutions. The attack chain begins with social engineering tactics that convince victims to execute a crafted command, which installs the Deno runtime if not already present. Deno is then used to run heavily obfuscated JavaScript code that performs steganographic decoding of a malicious payload hidden within a JPEG image file. This payload, CastleRAT, is executed entirely in-memory, avoiding any disk writes and thus evading file-based detection mechanisms. CastleRAT gains comprehensive control over the infected host, performing host fingerprinting to gather system information, keylogging to capture user input, clipboard hijacking to steal copied data, digital identity theft, and even audio/video surveillance through connected peripherals. The malware abuses various APIs and techniques such as process injection, command and control communication, and credential theft. The campaign's use of Deno is unprecedented, marking a shift in malware development towards abusing legitimate, modern runtimes to bypass endpoint security. Indicators of compromise include specific IP addresses (e.g., 23.94.145.120), multiple file hashes, and malicious domains like serialmenot.com and dsennbuappec.zhivachkapro.com. Although no public exploits or threat actor attribution are currently known, the campaign underscores the need for advanced detection strategies focusing on behavioral analysis and memory forensics.

Organizations worldwide face significant risks from this CastleRAT campaign due to its stealthy infection vector and advanced evasion techniques. The in-memory execution without disk artifacts severely limits detection by traditional antivirus and endpoint protection platforms, increasing the likelihood of prolonged undetected presence. The malware’s capabilities—keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance—pose severe confidentiality and privacy risks, potentially leading to data breaches, intellectual property theft, and espionage. Host fingerprinting enables attackers to tailor further attacks or lateral movement within networks. Enterprises relying on user trust and manual execution of commands are particularly vulnerable to social engineering exploitation. The campaign’s use of a legitimate runtime (Deno) complicates detection and response, potentially impacting sectors with high-value targets such as finance, government, healthcare, and technology. The stealth and persistence of CastleRAT could disrupt business operations and damage organizational reputation if sensitive data or communications are compromised.

To mitigate the threat posed by CastleRAT, organizations should implement multi-layered defenses focusing on behavioral and runtime analysis rather than solely signature-based detection. Specifically: 1) Enforce strict application whitelisting policies that restrict unauthorized installation and execution of runtimes like Deno, especially from untrusted sources. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of monitoring in-memory execution, API abuse, and anomalous process behaviors. 3) Implement network monitoring to detect suspicious communications to known malicious IPs and domains such as 23.94.145.120, serialmenot.com, and dsennbuappec.zhivachkapro.com. 4) Educate users to recognize and resist social engineering attempts, particularly commands prompting runtime installations or execution of scripts. 5) Utilize steganalysis tools to inspect suspicious image files in email attachments or downloads. 6) Regularly audit and restrict permissions to prevent unauthorized runtime installations and script executions. 7) Employ multi-factor authentication and credential hygiene to reduce the impact of credential theft. 8) Conduct memory forensics and behavioral analytics to identify indicators of in-memory malware activity. 9) Maintain up-to-date threat intelligence feeds to incorporate emerging indicators and tactics. 10) Establish incident response playbooks tailored to runtime abuse and in-memory malware scenarios.