ThreatDown Uncovers First Cyber Attack Abusing Deno JavaScript Runtime for Fileless Malware Delivery

ThreatDown announced the publication of its research documenting what researchers believe to be the first documented case of attackers abusing the Deno JavaScript runtime as a malware execution framework. The attack was uncovered by ThreatDown’s Endpoint Detection and Response team.

The multi-stage infection chain ultimately installs CastleRAT, a remote access Trojan capable of credential theft, surveillance and remote command execution. The malware executes entirely in system memory and never appears on disk as a traditional executable file.

The campaign highlights an evolution in attacker tradecraft. Rather than relying on malicious binaries, the attackers leveraged Deno—a legitimate, code-signed JavaScript runtime widely used by developers—to execute obfuscated scripts that retrieve additional payloads. Because the activity occurs inside a trusted process, traditional antivirus tools that rely on file-based scanning may fail to detect it.

Threat actors have long abused built-in operating system tools in “living-off-the-land” attacks, but the use of a developer runtime like Deno represents a new expansion of that technique.

“This is the first time we’ve seen attackers co-opt the Deno runtime in the wild, and it signals a broader shift in how threat actors think about evasion,” said Marco Giuliani, Vice President, Head of Research at ThreatDown. “Deno is legitimate software that security products trust. By exploiting that trust, attackers can execute malicious code in ways many endpoint defenses aren’t designed to monitor.”

The research was led by Lorenzo Corazzi, Malware Research Engineer at ThreatDown.

ThreatDown’s research details a multi-phase infection chain designed for maximum stealth. The attackers employ a three-step process to bypass traditional endpoint defenses:

Once established in memory, CastleRAT takes total control of the compromised machine. Hiding behind legitimate processes, the malware leverages advanced abuse of low-level Windows APIs to conduct devastating espionage. Key capabilities include:

ThreatDown detects and blocks this attack chain at multiple stages, identifying its components as Trojan.CastleLoader and Trojan.CastleRAT. Rather than relying on file-based scanning, ThreatDown's behavioral monitoring analyzes anomalies in process execution and severs communication with command-and-control servers before data is stolen.

In what ThreatDown researchers identify as an industry first, this campaign installs the Deno JavaScript runtime and uses it as a Trojan horse to execute obfuscated malicious scripts. Because the code runs inside a process the operating system trusts, it inherits elevated privileges and full system access without triggering antivirus alerts. The technique represents a new category of “living off the land” attack that extends beyond built-in OS utilities to third-party developer frameworks.

Fileless malware operates entirely in system memory without writing executable files to disk. In this CastleRAT campaign, the payload is encrypted inside a JPEG image using steganography, then decoded and injected into memory through a technique called reflective PE loading. Because traditional antivirus engines detect threats by scanning files on disk, they never see malware payloads that exist only in memory.

Traditional antivirus software relies on scanning files saved to the hard drive, which means fileless threats like CastleRAT are invisible to those defenses. Detection requires endpoint behavioral monitoring that analyzes how processes behave at runtime, flagging anomalies like a trusted developer tool attempting in-memory injections or establishing unexpected command-and-control communications. ThreatDown’s MDR team discovered this attack chain through exactly that approach, identifying suspicious behavior before the attackers could achieve their objectives.

Source: ThreatDown media announcement