In this exclusive interview with Swapnil Bhartiya at TFiR, Marco Giuliani, Vice President and Head of Research at ThreatDown (Malwarebytes), deep dives into the anatomy of a first-of-its-kind fileless malware attack using the Deno JavaScript runtime, explains why multi-layered behavioral detection has replaced signature-based EDR as the only viable defense, and outlines how AI agentic workflows are creating an entirely new threat surface through malicious skill files.

The Deno Runtime Attack: How It Was Discovered

ThreatDown offers both EDR technology and a managed detection and response (MDR) service that monitors customer environments around the clock. The Deno-based attack was first flagged not by automated signature detection, but by the MDR team identifying an unusual behavioral pattern in a customer’s environment. The team stopped and remediated the attack, then escalated to ThreatDown’s research team because the infection pattern didn’t fit any known template.

Q: What did ThreatDown’s MDR team actually find, and how did the investigation begin?

Marco Giuliani: “What happened has been that one specific customer has been hit by this attack. Of course, the customer didn’t realize that, but our MDR team looking at the data 24/7, they identified a suspicious pattern. They alerted the customer, stopped the attack, removed the infection. But then the MDR team looked at the infection pattern and they didn’t fully understand what was going on. So they reached out to our research team — and that’s how everything started, because our research team started investigating and figuring out that it was not just one simple malware. It was a more sophisticated step-by-step attack chained together in a set of steps which are extremely common and happening more and more in the last few years.”

Fileless Execution: Steganography, Reflective PE Loading, and Why Signature Detection Is Dead

The attack chain was notable for its complete avoidance of traditional disk-based indicators. The actual malware payload was concealed inside a JPEG image file — a steganography technique — and then extracted and executed directly in memory using a portable Python executable, never writing a detectable binary to disk. This rendered conventional antivirus and file-based EDR scanning completely ineffective.

Q: How did the malware avoid detection if it never touched the disk as a normal file?

Marco Giuliani: “Classic signature detection is not valid anymore. Relying only on a signature is just a lost battle right now. The actual payload of the malware was hidden inside a JPEG picture file. After the Deno framework as the initial vector, all the steps also dropped a portable Python executable, which was extracting the payload from the picture and executing it straight in memory. That’s why we — as ThreatDown, but also the entire security industry — are stressing out a lot that a single layer of detection is not valid anymore. You need to monitor what happens on the system. You need a multi-layered approach which does not detect single files or single scripts, but starts collecting evidences from different sources: network activity, processes, in-memory activities like code injection. You have to correlate all this data altogether. That’s the only way you can defend against fileless malware. Otherwise you’re just fighting a battle which is already lost.”

Q: For platform engineers, how do you build visibility into memory-only execution?

Marco Giuliani: “It’s not so easy to tell you exactly which specific pattern to monitor. It’s an extremely complex work that needs to be done on the backend side to properly correlate and identify only the actionable alerts. Having better visibility does not mean just collecting more data. Too much data just creates noise. Noise transforms into confusion, and that transforms into a security team where most of the alerts are being skipped or closed because there is no way to go through all of them. You need to select the right sources to monitor, and you need to pick the right security tool that allows you to correlate that data in an intelligent, effective way so that the noise is reduced as much as possible — leaving only the alerts that definitely need your attention and action.”

The ClickFix Social Engineering Vector

Despite Deno’s secure-by-default architecture, the attackers did not exploit a vulnerability in the runtime itself. Instead, they used ClickFix — a social engineering technique that presents the victim with a fake system error message and instructs them to copy and paste a specific command (typically a PowerShell command) into their terminal to “fix” the problem. The user believes they are running a legitimate system repair; they are actually triggering the malware delivery chain.

Q: If Deno is genuinely secure, how were attackers able to weaponize it?

Marco Giuliani: “You say that the Deno framework is secure. It’s safe and secure, which is correct — you can trust Deno by how the tool has been built. The problem is how the attackers have been able to convince the user to download the malware. They use the ClickFix attack, which is another social engineering trick. You as a user get a pop-up message telling you that something is not configured properly on your laptop or something is broken, and to fix it you need to run a specific command — usually a PowerShell command. The user copies and pastes it and executes it to fix the problem they were convinced to have. Most people say they haven’t downloaded anything or used untrusted sources, but they don’t realize they just copy-pasted an execution command they should not have. That’s the beginning of everything.”

Architectural Guidance for CTOs and Security Teams

For enterprise engineering leaders, Giuliani recommends strict zero trust network policies scoped specifically to developer machines. The Deno attack produced a clear behavioral signal that standard file-based detection missed entirely: the malware contacted an unusual external domain — ultimately confirmed as a command-and-control server — from a machine running a trusted developer tool. That anomalous network call was the detectable evidence.

Q: What specific architectural controls should CTOs put in place for developer tooling environments?

Marco Giuliani: “First of all, strict zero trust network rules for developer tools. You must check for strange network traffic, profiling the instances, profiling the machines. In this specific case, you might not have seen the execution of Deno because it was a classic JavaScript script — but at some point the malware started checking an unusual domain, and after investigation we figured out it was a command-and-control server. If it’s a trusted developer tool on a trusted developer machine, that machine should never talk to something you don’t know. Profiling the machine, the tools, and the network by monitoring with an EDR technology should be extremely important to identify suspicious patterns.”

The Broader Threat: Code Signing, Trusted Frameworks, and the Induc Virus Parallel

Giuliani drew a historical parallel to the Induc virus (circa 2009–2010), which infected the Delphi compiler so that every binary compiled on an infected machine silently contained malware — even though the source code itself was clean. When those binaries were code-signed by trusted developers, the digital signature certified the malware as legitimate. The lesson applies directly to modern runtimes: a digitally signed binary is not a safe binary. Code signing certifies only that a file has not been tampered with after release — not that the code itself is free of malicious content.

Q: What does the history of supply chain attacks teach us about trusting signed binaries and trusted runtimes today?

Marco Giuliani: “Many security people are told that digitally signed binaries are safe because they are code-signed and the certificate is trusted, so it must be safe. But the code signature doesn’t tell you that the product is safe. It just tells you that the product has not been touched after it has been released — it has not been altered or tampered — but it doesn’t mean that the code is 100% safe and secure. The same thing applies to frameworks like Deno, PowerShell, Python. You cannot be 100% sure that what you are executing on the system is going to be safe unless you profile your enterprise network, monitor your endpoint activity, and make sure that suspicious patterns are identified.”

AI Agentic Workflows: The Next Malware Delivery Surface

The conversation’s most forward-looking segment addressed how AI agentic systems — tools that can autonomously execute tasks on a user’s machine based on downloaded “skill” files — are rapidly becoming a new attack vector. ThreatDown’s research team recently identified malicious skill files in open repositories: text files that appeared legitimate in their English-language description and primary instructions, but contained obfuscated prompt-injection commands in a foreign language buried at the very end of the file, instructing the AI agent to abandon its stated task and execute a different, malicious behavior instead.

Q: How does the shift to AI agentic workflows change the threat model for security teams?

Marco Giuliani: “The world is switching into being more agentic. You have your AI and the AI can control your PC and do everything for you. How that is being done: you have your AI agent installed on your endpoint, and then you download your skill — a text file where you write your instructions to the AI agent. Now we are seeing more and more open repositories where people upload skills, which means pre-compiled text files you can download and execute. Those repositories are being populated more and more by malicious skills, and people don’t realize it because it’s just a text file. One thing we identified last week: a skill written in perfect English, doing very basic activity — nothing suspicious. If you looked at the description, it perfectly matched the repository listing. But at some point at the very end, written in Chinese or Russian, it said: forget everything written until now, and execute this other behavior instead — and that behavior was written in obfuscated code.”

Giuliani concluded with a clear call to action for both sides of the equation: attackers are leveraging AI to accelerate attacks; defenders must leverage AI with equal urgency to correlate behavioral signals and cut through alert noise before damage occurs.

Marco Giuliani: “Definitely AI is everywhere right now. It’s helping us speed up actions and analysis that otherwise would have taken days, if not weeks. Attackers leverage that. We need to adapt our services as well to counteract this kind of attack.”