Dindoor

DinDoor is a Deno-based backdoor malware family, commonly styled as DinDoor, that executes JavaScript/TypeScript through the legitimate Deno runtime to reduce suspicion and evade some traditional detections. Multiple reports describe it as a previously unknown backdoor and a variant of the Tsundere botnet. It has been publicly linked to the Iranian threat actor MuddyWater/Seedworm, which is associated with Iran’s Ministry of Intelligence and Security (MOIS), although some reporting notes that parts of this attribution require independent verification.

Observed delivery includes fake installers and plugins impersonating popular software such as ChatGPT, Claude, AutoTune, Kontakt, Ableton Live, ZENOLOGY, GearUP, and BWR on GitHub and SourceForge, often promoted through compromised YouTube channels with AI-generated videos. Other reporting states DinDoor is delivered via phishing emails, malicious drive-by downloads, and MSI installer files. In the fake-installer campaigns, victims were instructed to paste terminal or cmd commands that downloaded MSI or PowerShell components. The infection chain then used Scoop and WinGet to install Deno, after which DinDoor fetched and executed remote JavaScript payloads from attacker-controlled infrastructure.

Behaviorally, DinDoor establishes persistence on Windows, including via a Registry Run key, fingerprints infected hosts, communicates with command-and-control infrastructure, and retrieves additional payloads. Reported execution chains include MSI files that drop CMD, VBScript, JavaScript, or PowerShell launchers; one sample displayed a fake error dialog while running the payload in the background, and another executed JavaScript entirely in memory via a data URI passed to deno.exe. DinDoor has been observed using an eval loop to repeatedly fetch subsequent stages, obtaining an ID from endpoints such as /security-pool and then requesting follow-on code such as /v2{ID}.js. It also binds a localhost TCP listener as a mutex and generates a victim identifier from system attributes including username, hostname, memory, and OS release.

DinDoor functions as a loader/backdoor for a fully capable Deno-based RAT. Reported follow-on capabilities include arbitrary command and PowerShell execution, system information collection, file and process management, screenshot capture, clipboard monitoring, SOCKS5 proxying, custom VNC-style remote desktop control, browser and cryptocurrency wallet theft, and exfiltration from applications such as Telegram, Discord, and Lightcord. A notable capability abuses Microsoft Edge, Chrome DevTools Protocol, and WebRTC to stream a victim’s screen over peer-to-peer connections. Some reporting also mentions a lighter variant called agent-lite using Cloudflare Workers for C2 anonymity, and one follow-on RAT has been referred to as Smokest based on configuration values.

Victimology in the provided content spans both broad criminal-style distribution and targeted intrusions. Malwarebytes-associated reporting describes targeting of creators, gamers, AI enthusiasts, and technically inclined users who download unofficial software. Separate reporting ties DinDoor to intrusions affecting a U.S. bank, a U.S. airport, a U.S. software supplier to the defense and aerospace sector with Israeli operations, and NGOs/non-profits in the U.S. and Canada. Sectors explicitly mentioned include financial services, transportation/airports, defense and aerospace supply chain, and non-profit organizations.

High-confidence indicators and artifacts mentioned in the content include use of the Deno runtime; MSI-delivered samples such as Installer_v1.21.66.msi and migcredit.pdf.msi; code-signing certificates issued to Amy Cherne, with some related reporting also referencing Donald Gay in overlapping Seedworm tooling; C2 or distribution infrastructure including serialmenot[.]com, claudescript[.]top, ms-telemetry-gateway-us[.]com, dakatawebstick[.]com, ashpaltlonpro[.]com, agilemast3r[.]duckdns[.]org, geralnewlong[.]com, hngfbgfbfb[.]cyou, logicalnewrestore[.]com, cf-proxy[.]cloud-analytics-services[.]workers.dev, and IPs 23[.]227[.]196[.]107, 45[.]137[.]99[.]121, 31[.]57[.]129[.]23, 66[.]78[.]40[.]107, and 193[.]233[.]198[.]132. Additional reported traits include localhost binds on ports 10044 or 10091, HTTP /health checks, and Deno command lines using data:application/javascript;base64.