BreakglassIntelligence
Back to reports

A Shrug Emoji, a JWT Token, and the MaaS Platform Behind a Zero-Detection Deno Implant

One domain led to a commercial ClickFix MaaS platform with a Deno implant scoring 0/57 VT

PublishedApril 3, 2026
maasclickfixdenozero-detectionjwt

When @malwrhunterteam tweeted dakatawebstick[.]com with nothing but a shrug emoji, it could have been anything. A dead domain. A parked page. A false positive. We investigated anyway.

Behind that domain was a fully operational Malware-as-a-Service platform selling ClickFix capability, a zero-detection Deno-based implant, a bulletproof hosting provider running 16+ IP ranges through a Latvian-operated UK shell company, and an operator alias extracted from a JWT Bearer token hardcoded inside a 252-entry obfuscated string table.

The shrug emoji was underselling it.

The Implant: Deno Does Crime

The domain serves a 14,762-byte JavaScript file designed to run under the Deno runtime. At time of analysis, it scores 0/57 on VirusTotal. Zero detections. Not one engine flags it.

This is deliberate. Deno is a legitimate JavaScript/TypeScript runtime -- the spiritual successor to Node.js, created by the same developer. Security products don't flag Deno execution because it's a legitimate development tool. The implant abuses this blind spot.

Capabilities extracted from behavioral analysis of the deobfuscated code:

  • System fingerprinting: Hostname, OS version, architecture, network interfaces, running processes
  • TCP mutex: Prevents multiple instances from running simultaneously
  • Registry Run key persistence: Survives reboots via HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • PowerShell hidden execution: Launches via conhost.exe to avoid visible windows
  • Modular payload fetching: Downloads additional modules from the C2 based on session state
  • Health-check failover: C2 endpoint at /health confirms server availability before check-in

The code is protected by a 252-entry string table where every string is rotated and base64 encoded. Function names, URLs, registry paths, API calls -- everything meaningful is an index into this table. Static analysis sees nothing but array lookups.

The JWT: Operator Extraction

Buried inside string table entry 47 (after deobfuscation) is a hardcoded JWT Bearer token. Decoding the JWT payload reveals the MaaS platform's internal structure:

{
  "buildId": "...",
  "buildNote": "BatClickFixPS1NewV1",
  "buildType": "ps1",
  "userId": "1943c7b8c0a029e2",
  "userNote": "Smokest"
}

Operator alias: Smokest. User ID: 1943c7b8c0a029e2.

The buildNote tells us this is version 1 of a "BatClickFix" builder that generates PowerShell-based ClickFix payloads. The buildType confirms the output format. And the userId + userNote fields reveal that Smokest is a customer of a larger platform -- not the developer. This is multi-tenant infrastructure where operators purchase build access and receive customized implants.

The JWT was never meant to be visible. It's an authentication token baked into the implant at build time, allowing the C2 to route check-ins to the correct operator's dashboard. The developer didn't strip it from the distributed payload.

The Hosting: Dedik Services Limited

The domain resolves to infrastructure within AS207043 -- Dedik Services Limited. Despite the UK company registration, the operation is Latvian. They announce 16+ /24 prefixes upstream via OVH, providing a substantial bulletproof hosting platform.

Scanning the /24 subnet around the C2 IP revealed 5 Windows hostnames extracted from self-signed certificates on port 1337 -- a mix of development and staging machines. The infrastructure spans both Windows (IIS, RDP, SMB) and Linux (nginx, SSH) VPS instances, suggesting a hosting provider that caters to diverse criminal customer needs.

The ClickFix Technique

ClickFix is a social engineering vector that has exploded in 2025-2026. The attack presents victims with a fake CAPTCHA, browser error, or document viewer that instructs them to "fix" an issue by copying a command to their clipboard and pasting it into the Windows Run dialog (Win+R). The pasted command downloads and executes malware.

This builder automates the creation of ClickFix lures. The BatClickFixPS1NewV1 build note suggests:

  • Bat: Batch file initial stage
  • ClickFix: The social engineering technique
  • PS1: PowerShell payload delivery
  • NewV1: First version of an updated builder

The existence of a builder with version tracking, multi-tenant authentication, and modular payload delivery confirms this is a commercial operation, not a one-off tool.

Campaign Timeline

DateEvent
Mar 22-25Infrastructure provisioned (Windows VPS, domain, certificates)
Mar 31Build compiled (JWT iat timestamp)
Apr 2First public reporting (ThreatFox submission + @malwrhunterteam tweet)
Apr 3C2 confirmed LIVE (/health returns ok)

Indicators of Compromise

Network Indicators

  • dakatawebstick[.]com
  • C2 IP within AS207043 (Dedik Services Limited)
  • /health endpoint returns ok (health check)

File Indicators

  • Deno JS implant: 14,762 bytes, 0/57 VT detection
  • Registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Behavioral Indicators

  • Deno runtime execution (deno.exe or embedded runtime)
  • TCP mutex on localhost
  • PowerShell spawned via conhost.exe
  • HTTP POST to C2 with JWT Bearer authentication header
  • 252-entry obfuscated string table pattern

h/t @malwrhunterteam for the initial domain.

Share