Low detection CastleLoader signed "SOFTWARE ANALYTICS LIMITED": f50f825a64cb9c0435bc11db9225445687f8d1a44dba972a50ffa4dff600e72f They changed from EXE to MSI C2: arqeluno[.]com

LevelBlue SpiderLabs analyses a ClickFix campaign that impersonates LinkedIn & Indeed to lure victims. The chain abuses the legacy Finger protocol, uses native Windows tools plus portable Python runtimes & deploys fileless CastleLoader & a Python-based RAT levelblue.com/blogs/spiderla…

ChatGPTやClaudeなどを装った偽ソフトウェアがGitHubやSourceForge上で配布され、JavaScript実行環境Denoで動作する遠隔操作マルウェアに感染させるキャンペーンが報告されています。このマルウェアが備えるP2P画面配信は、裏で起動したEdgeにブラウザ間リアルタイム通信（WebRTC）のページを埋め込み、被害者の画面映像を指令サーバーを経由せず攻撃者のブラウザへ直接送る仕組みで、Edgeの正規通信に紛れるためネットワーク監視では見逃されやすくなります。 乗っ取られたYouTubeチャンネル（合計再生5万回超）が偽リポジトリへの誘導に使われているとのこと。以前のポストで紹介したBunによるNWHStealer配布やDenoによるCastleLoader展開に続く正規ランタイム持ち込み（BYOR）の3例目にあたり、今回は正規パッケージマネージャーのScoopとWinGetでDeno実行環境を導入させる点も特徴です。 【要点の整理】 ・ChatGPT、Claude、Ableton Live、AutoTune、Kontakt等を模倣した偽リポジトリからMSIやPowerShellスクリプトを配布。ターミナルでコマンドをコピー実行させる手口で、クリエイターやAI利用者などが標的 ・MSIが投下するPowerShellスクリプトがScoopとWinGetを用いてDeno実行環境をインストール。正規パッケージマネージャー経由で署名済みバイナリとして導入される ・バックドア「DinDoor」はHTTPでC2から追加スクリプトを取得し、標準入力（stdin）経由でディスクに書き込まず実行。レジストリRUNキーで永続化 ・配布されるDeno製RATは50以上の暗号資産ウォレット拡張機能やChrome、Brave、Edge等のブラウザデータ、Telegram、Discordのデータを窃取対象とし、画面遠隔操作（VNC）、SOCKS5プロキシによる通信中継、クリップボード改変にも対応 ・P2P画面配信はEdgeをブラウザ遠隔操作用のChrome DevTools Protocol（CDP）で制御しWebRTCページを注入、H.264でエンコードした画面映像をWebRTCのDataChannelで攻撃者側へ直接送信。接続確立に必要なシグナリングにはC2のWebSocket通信を利用 ・軽量版「agent-lite」も確認されており、C2通信にCloudflare Workersを使用 ・報告元はMalwarebytesの脅威インテリジェンスチーム。DinDoorについてはhunt[.]ioも分析を公開 正規パッケージマネージャーでのランタイム導入から正規ブラウザの映像中継への転用まで、信頼されたツールを攻撃経路の各段階に組み込んだキャンペーンです。 GitHubは該当リポジトリを削除済みですが、攻撃者は新アカウントで配布を再開する可能性があるとのこと。 詳細は以下を参照： malwarebytes.com/blog/threat…

#threatreport #MediumCompleteness Fake software on GitHub and SourceForge distribute Deno RAT | 26-05-2026 Source: malwarebytes.com/blog/threat… Key details below ↓ 🧑‍💻Actors/Campaigns: Smokest 💀Threats: Dindoor, Nwhstealer, Castleloader, Clickfix_technique, 🎯Victims: Content creators, Ai enthusiasts, Gamers, Technical users, Cryptocurrency users 🏭Industry: Healthcare 🤖LLM extracted TTPs:` T1005, T1036, T1041, T1059.001, T1059.003, T1059.007, T1071.001, T1082, T1083, T1090, ... 🧨IOCs: - Domain: 9 - IP: 5 💽Software: ChatGPT, Claude, macOS, GearUP, Chrome, Chromium, Opera, Vivaldi, CentBrowser, Kometa, Orbitum, ... 📲Wallets: atomicwallet, electrum 🔢Algorithms: base64 📜Programming Languages: typescript, javascript, powershell #threatreport: Recent threat hunting activities have revealed that attackers are using legitimate platforms such as GitHub and SourceForge to distribute fake software installers and plugins that impersonate popular applications. Notably, these campaigns are deploying a Deno-based backdoor known as DinDoor, which functions as a stealthy remote access Trojan (RAT). Distribution methods include leveraging compromised YouTube channels, where videos are promoting links to these malicious repositories, highlighting the attackers’ reliance on trust in established platforms to lure in users, particularly those inclined to download unofficial or cracked software. The infection process typically begins with users being redirected to malicious repositories through these compromised channels, where they encounter fake MSI files or PowerShell scripts. Upon execution, these scripts install alternative Windows package managers like Scoop and WinGet, which are then used to install the Deno runtime. Subsequently, the Deno runtime executes the RAT that can deploy additional payloads and exfiltrate sensitive information from browsers, crypto wallets, and other applications, employing peer-to-peer communication techniques to obscure its activity. The DinDoor backdoor plays a crucial role in the malware’s functionality, establishing persistence and communicating with command-and-control (C2) servers through various HTTP endpoints. Notably, it captures system information and can control devices through a custom VNC implementation. It targets specific crypto wallet extensions and can exfiltrate browser data from multiple popular browsers and applications. The versatility of the RAT is further amplified by its ability to execute commands, capture screenshots, and manage clipboard data. One of the more alarming features of the DinDoor RAT is its use of a peer-to-peer mode that leverages the Microsoft Edge browser. This allows the RAT to bypass traditional detection by establishing a direct communication channel for video streaming, turning Edge into a video relay using WebRTC technology. This is done through a hidden Edge process that captures the victim’s screen and streams the feed to the attacker’s browser, presenting a significant challenge for detection and mitigation efforts. The attackers employ a variety of commands accessible through the RAT, including those for gathering system details, controlling processes, and establishing proxy connections. Communications with the C2 server involve Base64-encoded data, indicating a structured and deliberate approach to maintaining operational security. Additionally, a lighter version of the RAT has been observed, with reduced capabilities and variants in C2 communication methods. In summary, the DinDoor RAT represents a sophisticated threat facilitated by trust exploitation and the use of legitimate software distribution channels, with advanced capabilities that complicate detection and response. Users are advised to exercise caution when downloading software, particularly from community-driven repositories, and ensure that downloads come from verified sources to mitigate potential risks.

LinkedIn Search leads to #CastleLoader delivering #AsyncRAT. Attackers use Clickfix lures with fake verification popups to mask PowerShell activity. The loader decrypts the payload via RC4, using the first 64 bytes as a key to bypass filters. Details: bit.ly/4uOIqka

The certificates were used to sign DinDoor (Tsundere) and folk also found an opendir for Tsundere w/ victim info. The CastleLoader samples apparently loaded FakeSet malware https://ctrlaltintel[.]com/research/MuddyWater/ https://research[.]checkpoint.com/2026/iranian-…