Recent OTX pulses indicate a surge in diverse malware delivery campaigns targeting enterprise environments. Threat actors are shifting away from standard binary execution in favor of complex, multi-stage scripting chains that abuse legitimate administrative tools.
Three distinct campaigns have been identified:
- ClickFix to CastleRAT: A novel infection chain starting with "ClickFix" social engineering, leading to MSI execution, PowerShell staging, and the deployment of a portable Deno JavaScript runtime and Python environment to decrypt and execute a CastleRAT payload.
- Steganographic RATs (AsyncRAT/Remcos): A global phishing campaign using Excel macros with heavy obfuscation to drop HTA and PowerShell scripts. These scripts employ steganography to hide malicious payloads within PNG files, ultimately delivering AsyncRAT and Remcos.
- Havoc & Banana RAT (Brazil): A tax-themed campaign targeting Brazil during the fiscal season. Malicious ZIP files disguised as electronic invoices (Nota Fiscal) utilize VBScript droppers to install Havoc framework implants, Banana RAT, and KongTuke via MSI installers.
Threat Actor / Malware Profile
CastleRAT (Pulse 1)
- Distribution: ClickFix social engineering (fake browser errors/updates) leading to MSI downloads.
- Payload Behavior: Utilizes a portable Deno runtime and Python interpreter (
install.pyc) to execute attacker-controlled JavaScript. Decrypts an encrypted.MOacontainer to reveal a 64-bit Windows PE payload. - C2 Communication: Connects to actor-controlled domains (e.g.,
lkczkqweca.com,webstizkgao.com). - Anti-Analysis: Heavy reliance on scripting languages (Deno/Python) to bypass traditional static analysis and signature-based detection.
AsyncRAT & Remcos (Pulse 2)
- Distribution: Phishing emails with malicious Excel attachments.
- Payload Behavior: Fileless execution via HTA and PowerShell. Uses steganography to extract payloads from image files (PNGs), making detection difficult for network inspection tools.
- C2 Communication: Connects to IPv4 addresses associated with US hosting providers (Colocrossing, Internap).
- Persistence: Likely achieved via scheduled tasks or registry run keys established by the PowerShell stages.
Havoc Framework & Banana RAT (Pulse 3)
- Distribution: Malicious ZIP files containing invoice-lure filenames (targeting Brazil).
- Payload Behavior: VBScript droppers execute MSI installers. The campaign abuses Microsoft Defender DLP contexts or exclusions to hide the stager.
- C2 Communication: Communicates with DGA-style domains (e.g.,
e4wxbrg5277.com). - Persistence: MSI installation typically provides system-level persistence.
IOC Analysis
The provided indicators include:
- Domains: A mix of typosquatted domains and DGA-style domains (e.g.,
thomphon.com,e4wxbrg5277.com). SOC teams should block these at the DNS layer. - IPv4 Addresses: Several IPs (e.g.,
107.172.235.213,192.227.219.79) are associated with hosting providers known for high-abuse infrastructure. These should be blocked on perimeter firewalls. - File Hashes (SHA256): Hashes are provided for the encrypted containers, Python bytecode (
install.pyc), and final payloads. EDR solutions should be tuned to alert on these specific hashes. - Operationalization:
- SIEM: Ingest domains and IPs into threat intelligence feeds for correlation.
- EDR: Hunt for processes attempting to resolve these specific domains.
- Network: Use Deep Packet Inspection (DPI) to detect MSI/JS downloads from non-standard domains.
Detection Engineering
Sigma Rules
YAML
title: Suspicious Deno or Python Execution via PowerShell
id: 5e0f3c12-0b1d-4f7a-9c8d-1e2f3a4b5c6d
description: Detects PowerShell spawning Deno or Python runtimes often used in ClickFix campaigns to load malware like CastleRAT.
status: experimental
date: 2026/07/05
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66000000...
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith:
- '\deno.exe'
- '\python.exe'
filter_legit_tooling:
CommandLine|contains:
- 'Microsoft'
- 'Program Files'
condition: selection and not filter_legit_tooling
falsepositives:
- Legitimate developer usage of Deno/Python via PowerShell scripts
level: high
---
title: Excel Macro Spawning HTA or PowerShell with Obfuscation
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects Excel processes spawning HTA or PowerShell, indicative of AsyncRAT/Remcos phishing campaigns.
status: experimental
date: 2026/07/05
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66000000...
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\EXCEL.EXE'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\mshta.exe'
- '\cmd.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate Excel automation using VBA macros
level: high
---
title: Havoc Stager VBScript Execution
id: 9f8e7d6c-5b4a-3e2d-1c0b-9a8f7e6d5c4b
description: Detects VBScript or WScript executing MSI installers, a technique used in Havoc/Banana RAT campaigns targeting Brazil.
status: experimental
date: 2026/07/05
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66000000...
tags:
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection_script:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli:
CommandLine|contains: '.vbs'
selection_child:
Image|endswith: '\msiexec.exe'
condition: all of selection_*
falsepositives:
- Legitimate software installation via VBScript wrappers
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix/Deno activity and Excel spawned scripts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine contains "deno" or FileName =~ "deno.exe" or ProcessCommandLine contains "install.pyc")
or (InitiatingProcessFileName =~ "excel.exe" and (FileName =~ "powershell.exe" or FileName =~ "mshta.exe"))
or (InitiatingProcessFileName has "wscript.exe" and FileName =~ "msiexec.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt script for CastleRAT and Havoc artifacts.
.DESCRIPTION
Checks for specific file extensions (.MOa, .pyc), Deno installations, and suspicious registry keys.
#>
$Artifacts = @(
"$env:TEMP\*.MOa",
"$env:APPDATA\*.pyc",
"$env:LOCALAPPDATA\deno*"
)
$Processes = @("deno", "python")
Write-Host "[+] Scanning for CastleRAT/Deno artifacts..."
foreach ($Path in $Artifacts) {
if (Test-Path $Path) {
Write-Host "[!] FOUND: $Path" -ForegroundColor Red
Get-Item $Path | Select-Object FullName, CreationTime, LastWriteTime
}
}
Write-Host "[+] Checking running processes..."
Get-Process | Where-Object { $Processes -contains $_.ProcessName } | ForEach-Object {
Write-Host "[!] RUNNING PROCESS: $($_.ProcessName) - PID $($_.Id)" -ForegroundColor Yellow
$_.Path
}
Write-Host "[+] Checking for recent VBScript execution in Event Logs..."
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 1000 -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'wscript.exe' -and $_.Message -match 'msiexec.exe' }
if ($Events) {
Write-Host "[!] FOUND potential Havoc stager execution events." -ForegroundColor Red
}
Response Priorities
- Immediate:
- Block all listed domains and IPv4 IOCs on perimeter firewalls and DNS resolvers.
- Quarantine any endpoints matching the SHA256 file hashes.
- Disable macro execution for users outside of immediate security exceptions.
- 24h:
- Hunt for evidence of
deno.exe,python.exe(portable), and.MOafiles on user workstations. - Review logs for connections to the Colocrossing and Internap IP ranges.
- Identify users who received the Excel or ZIP attachments related to the AsyncRAT/Havoc campaigns.
- Hunt for evidence of
- 1 Week:
- Implement application control to block unsigned MSI installers and Deno/Python execution from user directories.
- Conduct user awareness training focusing on "ClickFix" fake browser errors and tax-themed phishing lures.
- Review and restrict Microsoft Defender DLP exclusions to prevent abuse by stagers.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwarecastle-ratasyncrathavoc-frameworkremcossteganography
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.