ClickFix Deno Abuse to CastleRAT
Activity began with a ClickFix-style social engineering chain that led to MSI execution, PowerShell staging, and installation/use of Deno to run attacker-controlled JavaScript. Follow-on activity downloaded a portable Python runtime, `install.pyc`, and an encrypted `.MOa` container, which was later decrypted to recover a 64-bit Windows PE payload. Analysis of the recovered payload showed Steam Community being used as a dead-drop resolver for C2, with the profile title resolving to `smokeenew[.]com`, while `ip-api.com` was used for victim network/geolocation profiling. The payload also contained logic for browser/wallet data collection, clipboard/keylogging-related capabilities, Defender exclusions, UAC bypass/relaunch behavior through `ComputerDefaults.exe`, and a C2-tasked mechanism to receive and install an additional `Krutyak.zip` / `usbmmidd_v2` component. Recommendations: Block artifacts where applicable.
AI Analysis
Technical Summary
The threat campaign begins with a social engineering chain mimicking ClickFix, resulting in MSI execution and PowerShell staging. It installs and uses Deno to execute attacker-controlled JavaScript, followed by downloading a portable Python runtime, an install.pyc script, and an encrypted .MOa container. Decryption of the container reveals a 64-bit Windows PE payload that uses Steam Community profiles as a dead-drop resolver for C2 communications, with the profile title resolving to smokeenew.com. The malware also uses ip-api.com for network and geolocation profiling of victims. Functionalities include browser and cryptocurrency wallet data collection, clipboard and keylogging capabilities, Defender exclusion, UAC bypass and relaunch via ComputerDefaults.exe, and a mechanism to receive and install additional payload components named Krutyak.zip / usbmmidd_v2. The campaign is ongoing with no known exploits in the wild and no official patches, but blocking identified artifacts is advised.
Potential Impact
The campaign enables attackers to execute arbitrary code on victim systems, collect sensitive browser and wallet data, perform clipboard and keylogging activities, evade detection by excluding itself from Defender scans, bypass User Account Control (UAC), and maintain persistent command and control via Steam Community dead-drop profiles. This can lead to credential theft, financial loss, and further system compromise. There are no known exploits in the wild reported, and no direct patch is available as this is a multi-stage attack leveraging social engineering and malware components.
Mitigation Recommendations
No official patch or fix is available for this campaign as it relies on social engineering and multi-stage malware deployment. The vendor advisory does not indicate any 'no action required' or 'already mitigated' status. Recommended mitigations include blocking known malicious domains, URLs, IP addresses, and file hashes associated with this campaign. Monitoring for and preventing execution of MSI installers and PowerShell scripts from untrusted sources can reduce risk. Implementing endpoint detection rules to identify Deno usage for suspicious JavaScript execution and monitoring for UAC bypass attempts via ComputerDefaults.exe may help detect related activity.
Indicators of Compromise
- domain: lkczkqweca.com
- domain: smokeenew.com
- domain: ibewfszvehhb.lkczkqweca.com
- hash: f1ecb89facb7e31ee9c03278f4106113c0339ff9fc10b1aefe33aaab776e8540
- hash: f704a49c0cdaaae4515105bf937e26b5e39b1101c8a0cefaca3959fce7418e9d
- url: http://webstizkgao.com/v02c4fd90de22ee0677.js
- url: http://webstizkgao.com/v2c4fd90de22ee0677.js
- domain: webstizkgao.com
- hash: 82056127b671583deb500d931ecb893224c34d3b8de66c0959700d55a1bfbbfd
- ip: 162.33.177.16
- url: http://162.33.177.16/CFBatFIX/install.pyc
- url: http://162.33.177.16/CFBatFIX/7sjVtn0zPVjMZzkxZ.MOa
- hash: c9afa1e8ce84b3af50304b504519a587488658142137cf4bbf85f5780c06f682
- domain: nicenicc.com
- hash: b04bc0780b2cd11fde488372387f557a87fd473ba546295f5fca7771d5b8a394
ClickFix Deno Abuse to CastleRAT
Description
Activity began with a ClickFix-style social engineering chain that led to MSI execution, PowerShell staging, and installation/use of Deno to run attacker-controlled JavaScript. Follow-on activity downloaded a portable Python runtime, `install.pyc`, and an encrypted `.MOa` container, which was later decrypted to recover a 64-bit Windows PE payload. Analysis of the recovered payload showed Steam Community being used as a dead-drop resolver for C2, with the profile title resolving to `smokeenew[.]com`, while `ip-api.com` was used for victim network/geolocation profiling. The payload also contained logic for browser/wallet data collection, clipboard/keylogging-related capabilities, Defender exclusions, UAC bypass/relaunch behavior through `ComputerDefaults.exe`, and a C2-tasked mechanism to receive and install an additional `Krutyak.zip` / `usbmmidd_v2` component. Recommendations: Block artifacts where applicable.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat campaign begins with a social engineering chain mimicking ClickFix, resulting in MSI execution and PowerShell staging. It installs and uses Deno to execute attacker-controlled JavaScript, followed by downloading a portable Python runtime, an install.pyc script, and an encrypted .MOa container. Decryption of the container reveals a 64-bit Windows PE payload that uses Steam Community profiles as a dead-drop resolver for C2 communications, with the profile title resolving to smokeenew.com. The malware also uses ip-api.com for network and geolocation profiling of victims. Functionalities include browser and cryptocurrency wallet data collection, clipboard and keylogging capabilities, Defender exclusion, UAC bypass and relaunch via ComputerDefaults.exe, and a mechanism to receive and install additional payload components named Krutyak.zip / usbmmidd_v2. The campaign is ongoing with no known exploits in the wild and no official patches, but blocking identified artifacts is advised.
Potential Impact
The campaign enables attackers to execute arbitrary code on victim systems, collect sensitive browser and wallet data, perform clipboard and keylogging activities, evade detection by excluding itself from Defender scans, bypass User Account Control (UAC), and maintain persistent command and control via Steam Community dead-drop profiles. This can lead to credential theft, financial loss, and further system compromise. There are no known exploits in the wild reported, and no direct patch is available as this is a multi-stage attack leveraging social engineering and malware components.
Mitigation Recommendations
No official patch or fix is available for this campaign as it relies on social engineering and multi-stage malware deployment. The vendor advisory does not indicate any 'no action required' or 'already mitigated' status. Recommended mitigations include blocking known malicious domains, URLs, IP addresses, and file hashes associated with this campaign. Monitoring for and preventing execution of MSI installers and PowerShell scripts from untrusted sources can reduce risk. Implementing endpoint detection rules to identify Deno usage for suspicious JavaScript execution and monitoring for UAC bypass attempts via ComputerDefaults.exe may help detect related activity.
Technical Details
- Author
- AlienVault
- Tlp
- green
- References
- []
- Adversary
- null
- Pulse Id
- 6a21aa7db4b7cf1351f27cb6
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainlkczkqweca.com | — | |
domainsmokeenew.com | — | |
domainibewfszvehhb.lkczkqweca.com | — | |
domainwebstizkgao.com | — | |
domainnicenicc.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashf1ecb89facb7e31ee9c03278f4106113c0339ff9fc10b1aefe33aaab776e8540 | — | |
hashf704a49c0cdaaae4515105bf937e26b5e39b1101c8a0cefaca3959fce7418e9d | — | |
hash82056127b671583deb500d931ecb893224c34d3b8de66c0959700d55a1bfbbfd | — | |
hashc9afa1e8ce84b3af50304b504519a587488658142137cf4bbf85f5780c06f682 | — | |
hashb04bc0780b2cd11fde488372387f557a87fd473ba546295f5fca7771d5b8a394 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://webstizkgao.com/v02c4fd90de22ee0677.js | — | |
urlhttp://webstizkgao.com/v2c4fd90de22ee0677.js | — | |
urlhttp://162.33.177.16/CFBatFIX/install.pyc | — | |
urlhttp://162.33.177.16/CFBatFIX/7sjVtn0zPVjMZzkxZ.MOa | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip162.33.177.16 | — |
Threat ID: 6a21ac6ce29bf47b50b8bb6b
Added to database: 6/4/2026, 4:48:44 PM
Last enriched: 6/4/2026, 5:04:07 PM
Last updated: 6/5/2026, 5:02:00 AM
Views: 89
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.