Analyzing DinDoor, the Deno-Powered Backdoor Disguised as Legitimate Tooling
By leveraging a legitimate, signed runtime, threat actors can deploy low-footprint, essentially fileless malware that bypasses security controls tuned primarily to monitor more common execution engines like PowerShell, Python, or Node.js. This creates a significant visibility gap in modern enterprise environments.
First documented in March 2026, DinDoor is identified as a specialized variant of the Tsundere botnet—a remote access tool (RAT) that has historically transitioned from Node.js to Deno to evade detection. Security intelligence suggests a link between DinDoor campaigns and the Iranian-aligned APT group Seedworm (also known as MuddyWater), known for highly targeted phishing operations. Furthermore, the infrastructure overlaps with the CastleLoader/CastleRAT ecosystem, indicating a shared multi-tenant backend used by both state-sponsored and cybercriminal actors.
Technical Analysis: Delivery and Execution Chain
The infection vector typically begins with a malicious MSI installer, delivered via social engineering, drive-by downloads, or phishing lures masquerading as essential business software. The execution process follows a highly structured, multi-stage chain:
- Initial Staging: Upon execution,
msiexec.exedrops a PowerShell script (e.g.,Juliet_widget15.ps1) into the%AppData%\Local\documents\directory. This script is launched viacmd.exeusing specific flags designed to suppress window visibility, bypass profile loading, and circumvent execution policies. - Runtime Acquisition: The staging script performs a local check for the Deno runtime. If absent, it performs a silent, non-privileged download of
deno.exedirectly from the legitimatedl.deno[.]landendpoint, effectively masking the download as a standard developer tool update. - Payload Execution (Fileless vs. File-based):
- Variant A: Decodes a Base64-encoded JavaScript payload to disk before invoking it via
deno.exe. - Variant B (More Advanced): Passes the payload directly to Deno using a
data:application/javascript;base64,...URI. This allows the malware to reside entirely in memory, drastically reducing the forensic footprint and bypassing many file-centric antivirus solutions.
- Variant A: Decodes a Base64-encoded JavaScript payload to disk before invoking it via
Once active, DinDoor initializes a TCP listener on localhost (using ports such as 10044 or 10091). It uses these ports as a mutex to prevent redundant infections on a single host. To identify itself to the Command and Control (C2) server, the malware generates a unique 16-character hexadecimal fingerprint based on a hash of the victim’s hostname, username, total RAM, and OS release.
The beaconing behavior is highly methodical. DinDoor probes its C2 via a short-timeout GET request to a /health endpoint. It only proceeds with further instructions upon receiving an HTTP 200 response containing the string “ok”.
Analysis of recent samples revealed that C2 URLs often embed a JSON Web Token (JWT). This token serves as a metadata carrier, disclosing campaign-specific information and linking activity to the serialmenot[.]com domain, a known hub for both criminal and state-actor operations.
Infrastructure Discovery and Defensive Posture
Research conducted by Hunt.io highlights a significant vulnerability in the attacker’s infrastructure: HTTP Header Consistency. DinDoor’s C2 servers frequently return specific 404 Not Found responses with a Content-Length: 13 and headers including Via: 1.1 Caddy and X-Request-Id. These unique fingerprintable characteristics allowed researchers to identify approximately 20 active C2 servers across 15 different autonomous systems.
To defend against DinDoor, organizations should implement a multi-layered detection strategy focused on these key choke points:
- Endpoint Security: Implement AppLocker or Windows Defender Application Control (WDAC) to restrict unauthorized MSI executions. Monitor for suspicious child processes, specifically
deno.exebeing spawned bypowershell.exeorwscript.exe. - Behavioral Monitoring: Alert on any command-line arguments for Deno that include
data:application/javascript;base64, as this is a high-fidelity indicator of fileless execution. - Network Intelligence: Monitor outbound traffic for the
serialmenot[.]comdomain and seek anomalies in traffic containing theCaddyserver headers mentioned above.
Indicators of Compromise (IOCs)
| Type | Indicator | TLS Cert Common Name | Resolving Domain(s) | Hosting |
|---|---|---|---|---|
| IP | 138.124.240[.]76 | bandage.healthydefinitetrunk[.]com | bandage.healthydefinitetrunk[.]com | NEKOBYTE INTERNATIONAL LIMITED, DE |
| IP | 138.124.240[.]77 | N/A | grafana.healthydefinitetrunk[.]com | NEKOBYTE INTERNATIONAL LIMITED, DE |
| IP | 140.82.18[.]48 | N/A | N/A | The Constant Company, LLC, US |
| IP | 178.104.137[.]180 | N/A | N/A | Hetzner Online GmbH, DE |
| IP | 192.109.200[.]151 | N/A | generalnewlong[.]com agilemast3r.duckdns[.]org |
Pfcloud UG, NL |
| IP | 193.233.82[.]43 | N/A | N/A | Digital Hosting Provider LLC, NL |
| IP | 194.48.141[.]192 | justtalken[.]com | N/A | VDSka hosting, NL |
| IP | 199.91.220[.]142 | N/A | N/A | BL Networks, NL |
| IP | 199.91.220[.]216 | N/A | annaionovna[.]com | BL Networks, NL |
| IP | 2.26.117[.]169 | N/A | N/A | NEKOBYTE INTERNATIONAL LIMITED, DE |
| IP | 2.27.122[.]16 | N/A | surgery.healthydefinitetrunk[.]com | NEKOBYTE INTERNATIONAL LIMITED, DE |
| IP | 209.99.189[.]170 | playerdragonbike[.]com | playerdragonbike[.]com | SKN Subnet & Telecom Ltd, US |
| IP | 45.135.180[.]200 | N/A | N/A | SOLLUTIUM EU Sp z.o.o., NL |
| IP | 45.151.106[.]88 | N/A | N/A | MHost LLC, NL |
| IP | 178.16.52[.]191 | N/A | N/A | Omegatech LTD, DE |
| IP | 193.24.123[.]25 | N/A | weaplink[.]com ilspaeysoff[.]site ineracaspsl[.]site myspaeysoff[.]site aeeracaspsl[.]site |
PROSPERO OOO, RU |
| IP | 199.217.99[.]189 | N/A | bitatits[.]surf | BL Networks, NL |
| IP | 146.19.254[.]84 | N/A | landmas[.]info | BlueVPS OU, NL |
| IP | 185.218.19[.]117 | N/A | N/A | ZhouyiSat Communications, DE |
| IP | 85.192.27[.]152 | N/A | hngfbgfbfb[.]cyou | AEZA GROUP LLC, DE |