FILTERING BY: CLEAR FILTER

Runtime Abuse: Exploiting Node.js and Deno via OXLOADER and CASTLESTEALER

A malvertising campaign targets developers and Windows users by impersonating official Node.js and Deno installers through sponsored Google Ads. The attack chain deploys OXLOADER to facilitate the execution of CASTLESTEALER, CastleRAT, or Stealit malware. A primary technical innovation is the abuse of Node.js Single Executable Applications (SEA) and the Deno runtime to encapsulate malicious payloads. By executing within these legitimate JavaScript environments, the malware evades traditional EDR/AV solutions that trust common developer binaries. The impact includes the theft of sensitive credentials, API keys, and tokens, creating significant risks for developer workstations and potential supply chain contamination.


LINK COPIED TO CLIPBOARD