ClickFix Deno Abuse to CastleRAT

June 4, 2026, 4:40 p.m.

Description

Activity began with a ClickFix-style social engineering chain that led to MSI execution, PowerShell staging, and installation/use of Deno to run attacker-controlled JavaScript. Follow-on activity downloaded a portable Python runtime, `install.pyc`, and an encrypted `.MOa` container, which was later decrypted to recover a 64-bit Windows PE payload. Analysis of the recovered payload showed Steam Community being used as a dead-drop resolver for C2, with the profile title resolving to `smokeenew[.]com`, while `ip-api.com` was used for victim network/geolocation profiling. The payload also contained logic for browser/wallet data collection, clipboard/keylogging-related capabilities, Defender exclusions, UAC bypass/relaunch behavior through `ComputerDefaults.exe`, and a C2-tasked mechanism to receive and install an additional `Krutyak.zip` / `usbmmidd_v2` component. Recommendations: Block artifacts where applicable.

External References

https://otx.alienvault.com/pulse/6a21aa7db4b7cf1351f27cb6
Tags
2026-06-04

Date

  • Created: June 4, 2026, 4:40 p.m.
  • Published: June 4, 2026, 4:40 p.m.
  • Modified: June 4, 2026, 4:40 p.m.

Indicators

  • c9afa1e8ce84b3af50304b504519a587488658142137cf4bbf85f5780c06f682
  • f704a49c0cdaaae4515105bf937e26b5e39b1101c8a0cefaca3959fce7418e9d
  • 82056127b671583deb500d931ecb893224c34d3b8de66c0959700d55a1bfbbfd
  • f1ecb89facb7e31ee9c03278f4106113c0339ff9fc10b1aefe33aaab776e8540
  • b04bc0780b2cd11fde488372387f557a87fd473ba546295f5fca7771d5b8a394
  • 162.33.177.16
  • http://162.33.177.16/CFBatFIX/7sjVtn0zPVjMZzkxZ.MOa
  • http://162.33.177.16/CFBatFIX/install.pyc
  • http://webstizkgao.com/v02c4fd90de22ee0677.js
  • http://webstizkgao.com/v2c4fd90de22ee0677.js
Download all indicators here!

Additional Informations

  • smokeenew.com
  • webstizkgao.com
  • nicenicc.com
  • lkczkqweca.com
  • ibewfszvehhb.lkczkqweca.com