Threats Tagged 'deno'

LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators.

MediumCampaignUnited StatesUnited KingdomGermany+7#side-loading#s3 bucket#lateral movement

A sophisticated infection chain has been discovered that installs CastleRAT malware without leaving traces on disk. The attack uniquely abuses the Deno runtime as a malicious framework, combining social engineering, steganography, and in-memory execution to evade detection. The process involves tricking users into executing a command, installing Deno, running obfuscated JavaScript, and decoding a payload hidden in a JPEG image. CastleRAT then gains total control, performing host fingerprinting, keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance. This campaign demonstrates the evolution of malware towards invisibility and the need for advanced endpoint behavioral monitoring to detect such threats.

MediumMalwareUnited StatesUnited KingdomGermany+8#clickfix#social engineering#castlerat