Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Home/Threats/DinDoor Backdoor Abuses Deno Runtime and MSI Installers for Evasion
Threats

DinDoor Backdoor Abuses Deno Runtime and MSI Installers for Evasion

Key Takeaways A new backdoor, DinDoor, is actively being deployed, leveraging the legitimate Deno JavaScript runtime and Microsoft Installer (MSI) files to bypass traditional security defenses....

Marcus Rodriguez
Marcus Rodriguez
April 22, 2026 4 Min Read
39 0

Key Takeaways

  • A new backdoor, DinDoor, is actively being deployed, leveraging the legitimate Deno JavaScript runtime and Microsoft Installer (MSI) files to bypass traditional security defenses.
  • DinDoor is delivered via phishing emails or malicious drive-by downloads disguised as MSI files, with execution chains designed for stealth and persistence.
  • The malware is linked to the Iranian APT group Seedworm (MuddyWater) and utilizes shared command-and-control (C2) infrastructure, indicating its use by multiple sophisticated threat actors.
  • Organizations should implement strict application control policies, monitor for suspicious Deno and PowerShell activity, and block known malicious indicators to mitigate risk.

A sophisticated new backdoor, dubbed DinDoor, is currently being utilized by threat actors, employing a stealthy combination of the legitimate Deno JavaScript runtime and Microsoft Installer (MSI) files to evade detection and compromise systems. This innovative approach allows the malware to integrate into environments where Deno might be an approved application, making traditional security measures less effective. For a comprehensive breakdown of its evasion tactics, a detailed analysis is available from Hunt.io researchers.

Table Of Content

  • Key Takeaways
  • Infection Vector and Initial Execution
  • Command and Control Infrastructure
  • Inside the Execution Chain
  • Sample 1: migcredit.pdf.msi
  • Sample 2: Installer_v1.21.66.msi
  • What You Should Do

Identified as a variant of the Tsundere Botnet, DinDoor distinguishes itself by relying on trusted, signed runtime environments instead of conventional compiled malware implants. This strategy significantly complicates detection efforts, particularly within networks where tools like Deno are either explicitly allowlisted or not subject to rigorous monitoring.

Infection Vector and Initial Execution

Victims are typically infected with DinDoor through carefully crafted phishing emails or insidious drive-by downloads presented as benign MSI files. Upon execution of a malicious MSI, the installer initiates the download of the Deno runtime directly from its official endpoint, dl.deno[.]land, critically, without requiring elevated administrator privileges.

Following Deno’s installation, the backdoor proceeds to execute obfuscated JavaScript. This script performs initial reconnaissance of the compromised machine, establishes communication with its command-and-control (C2) infrastructure, and subsequently retrieves additional malicious payloads. Researchers at Hunt.io discovered this malware during their analysis of two samples submitted to public repositories, noting distinct behavioral patterns despite their shared execution methodology.

Command and Control Infrastructure

The Hunt.io investigation, using a targeted HuntSQL query, revealed 20 active C2 servers associated with DinDoor at the time of their report. These servers were distributed across 15 different autonomous systems, highlighting the distributed and resilient nature of the threat actor’s infrastructure. Furthermore, a recent report from Broadcom has directly linked DinDoor activities to Seedworm, also known as MuddyWater, an Iranian Advanced Persistent Threat (APT) group known for targeting organizations within the United States.

A concerning aspect of DinDoor is its connection to a broader threat ecosystem. One of the C2 domains identified, serialmenot[.]com, has been previously documented as shared, multi-tenant infrastructure. This platform is known to be utilized by various malicious entities, including ransomware operators, state-sponsored groups, and other cybercrime actors. JUMPSEC’s research further corroborated this, linking the serialmenot[.]com domain to TAG-150, which uses it as the backend for a malware family named CastleLoader. DinDoor exhibits behavioral similarities with CastleLoader, suggesting that multiple threat actors are leveraging the same shared platform, albeit with separate credentials.

Inside the Execution Chain

A closer examination of DinDoor’s execution flow underscores the deliberate design choices made to ensure stealth and evade detection.

Sample 1: migcredit.pdf.msi

When the first sample, identified as migcredit.pdf.msi, is executed, msiexec.exe drops a PowerShell script. This script is then launched via cmd.exe, utilizing specific flags to hide the command window, bypass profile loading, and disable execution policy enforcement. The PowerShell script first verifies the presence of deno.exe on the system. If Deno is not found, the script proceeds to install it. Subsequently, it decodes a base64-encoded JavaScript payload and uses Deno to execute this malicious code.

Sample 2: Installer_v1.21.66.msi

The second sample, Installer_v1.21.66.msi, employs a slightly different, yet equally deceptive, execution path. Developed using the WiX toolset, this variant carries a code-signing certificate issued to “Amy Cherne,” a name previously associated with MuddyWater in other security research. Upon launch, the installer displays a deceptive Windows error message stating “Installation Failed! Ex00000185.” Concurrently, a VBScript launcher silently executes the PowerShell payload in the background. Notably, this variant passes its JavaScript payload directly to deno.exe as a URI argument, enabling the code to execute entirely in memory without writing any artifacts to disk, further enhancing its stealth capabilities.

Once Deno takes control, the payload binds a TCP listener on localhost, serving as a mutex to prevent re-infection of the same system. It then generates a unique fingerprint for the victim’s machine by combining the username, hostname, total memory, and OS release string. This process yields a 16-character hexadecimal ID, which is appended to every subsequent C2 request. The Installer sample also embeds a hardcoded JSON Web Token within the C2 URL, which inadvertently exposes campaign metadata such as domain and proxy settings. Hunt.io’s analysis confirmed 20 active servers across various networks, with several hosted by providers known for their lax enforcement against abuse.

What You Should Do

  • Implement Application Control: Utilize AppLocker or Windows Defender Application Control to restrict MSI file execution, thereby eliminating a primary delivery vector for DinDoor.
  • Monitor Deno and PowerShell Activity: Treat any unexpected instances of deno.exe running as a child process of powershell.exe or wscript.exe as a critical alert.
  • Detect Command-Line Patterns: Monitor for specific command-line patterns, such as deno.exe -A data:application/javascript;base64, which indicate malicious Deno usage.
  • Monitor for TCP Binds: Watch for TCP listener binds on localhost at ports 10044 or 10091, as these are indicators of an active DinDoor infection.
  • Review HTTP Logs: Examine HTTP logs for the presence of Via: 1.1 Caddy headers on port 80, which can signal C2 communication.
  • Block Known Indicators: Proactively block known associated domains and IP addresses, and consider restricting communications with suspect hosting providers identified in threat intelligence reports.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwarephishingransomwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

SIM Farm-as-a-Service Network Exposes 87 Control Panels Globally

Next Post

The Phishing Defense Layer Top CISOs Never Miss

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us