Posted in

DinDoor Backdoor Uses Deno Runtime to Evade Detection

by Rakesh0

A newly discovered backdoor named DinDoor is raising alarms in the cybersecurity community for one key reason:

It doesn’t rely on traditional malware binaries.

Instead, it abuses legitimate tools like the Deno JavaScript runtime and signed MSI installers to quietly infiltrate systems while evading detection.

Tracked as a variant of the Tsundere Botnet, DinDoor represents a growing trend in modern attacks:

👉 Using trusted software to deliver malicious behavior

In this article, we break down how DinDoor works, why it is difficult to detect, and how defenders can stop it.

What Is the DinDoor Backdoor?

DinDoor is a malware family that uses:

  • MSI installers for delivery
  • Deno runtime for execution
  • Obfuscated JavaScript payloads for control

Key Objective:

Maintain stealth while enabling long-term remote access via command-and-control (C2) infrastructure.

How DinDoor Infects Systems

Infection Flow

Phishing Email / Drive-by Download → MSI Installer → Deno Runtime Download → JavaScript Payload Execution → C2 Connection

Step 1: Initial Delivery via MSI File

Victims receive:

  • Phishing emails
  • Fake software installers
  • Drive-by download links

The payload is disguised as a legitimate MSI installer.

Step 2: Silent Deno Installation

Once executed, the installer:

  • Downloads Deno from official source (dl.deno[.]land)
  • Avoids admin privileges
  • Blends into trusted software activity

Step 3: Execution of Malicious JavaScript

The malware:

  • Decodes a Base64-encoded payload
  • Runs JavaScript through Deno
  • Fingerprints the victim system

Collected data includes:

  • Username
  • Hostname
  • Memory size
  • OS version

Why Deno Is Being Abused

Deno is a legitimate JavaScript runtime often:

  • Allowlisted in enterprise environments
  • Not closely monitored by EDR tools
  • Used for development workflows

Why attackers love it:

✔ Trusted binary
✔ Signed runtime
✔ Script-based execution
✔ Low detection rates

Execution Techniques Used by DinDoor

1. PowerShell Abuse

The MSI installer launches:

  • msiexec.exe → PowerShell → cmd.exe

With flags that:

  • Hide windows
  • Bypass execution policy
  • Avoid profile loading

2. In-Memory Execution

One variant passes JavaScript directly to:

  • deno.exe as a URI argument

👉 No files written to disk

3. Fake Installation Trick

Some samples display:

  • Fake Windows error dialogs
  • “Installation Failed” messages

While malware runs silently in the background.

Command-and-Control (C2) Infrastructure

DinDoor connects to multiple C2 servers distributed across 15 ASNs, showing:

  • 20+ active servers identified
  • Global infrastructure spread
  • Abuse-tolerant hosting providers

Shared Infrastructure Risk

Some domains used (e.g., shared multi-tenant platforms):

  • Are used by ransomware groups
  • Are linked to state-sponsored actors
  • Host multiple malware families

Attribution: Who Is Behind DinDoor?

DinDoor has been linked to:

  • Seedworm (MuddyWater) – Iranian APT group
  • Overlaps with CastleLoader malware infrastructure
  • Shared tooling with cybercrime groups

Why DinDoor Is Hard to Detect

1. Living-Off-the-Land Techniques

Uses legitimate tools like:

  • Deno runtime
  • PowerShell
  • Windows Installer (MSI)

2. Signed / Trusted Components

  • MSI files often appear legitimate
  • Deno is widely trusted in dev environments

3. In-Memory Execution

  • No persistent malware files
  • Reduced forensic footprint

4. Blended Traffic Patterns

  • Uses standard HTTP/S requests
  • Mimics normal developer tool behavior

Indicators of Compromise (IOCs)

Security teams should monitor for:

Process Anomalies

  • deno.exe spawned by:
    • PowerShell
    • wscript.exe

Command Patterns

  • deno.exe -A data:application/javascript;base64

Network Activity

  • Localhost TCP binds (ports 10044, 10091)
  • HTTP headers: Via: 1.1 Caddy
  • Suspicious domains like serialmenot[.]com

Real-World Risk Impact

If successfully deployed, DinDoor enables:

1. Full System Fingerprinting

  • Device profiling
  • Environment enumeration

2. Persistent Remote Access

  • C2-controlled execution
  • Long-term surveillance

3. Multi-Stage Payload Delivery

  • Additional malware downloads
  • Modular attack expansion

Common Misconceptions

❌ “Signed installers are safe”

Attackers now abuse trusted installers as delivery vehicles.

❌ “Developer tools are harmless”

Tools like Deno are increasingly used as execution layers for malware.

❌ “No file on disk = no malware”

In-memory execution is now a standard evasion method.

Mitigation Strategies

1. Restrict MSI Execution

Use:

  • AppLocker
  • Windows Defender Application Control (WDAC)

2. Monitor Runtime Behavior

Flag:

  • Unexpected deno.exe execution
  • PowerShell spawning scripting runtimes

3. Enforce Application Control

  • Allowlist approved runtimes only
  • Block unknown JavaScript execution chains

4. Network-Level Detection

Monitor for:

  • Suspicious HTTP headers
  • Unusual C2 domains
  • Abuse-tolerant hosting providers

5. Endpoint Detection Focus

Shift from file-based detection to:

  • Behavioral analysis
  • Process lineage tracking
  • Script execution monitoring

Expert Insight: The Rise of Trusted Runtime Malware

DinDoor highlights a major evolution in malware design:

Attackers are abandoning binaries and abusing trusted runtimes instead

This includes:

  • JavaScript engines
  • Cloud CLI tools
  • Developer frameworks
  • System utilities

FAQs

What is DinDoor malware?

A backdoor that uses Deno runtime and MSI installers for stealthy system compromise.

Why is Deno used in attacks?

It is a trusted runtime often overlooked by security tools.

How does DinDoor spread?

Through phishing emails and malicious MSI installers.

What data does DinDoor collect?

System fingerprints, credentials, and environment metadata.

Who is behind DinDoor?

It is linked to the Seedworm (MuddyWater) APT group.

How can it be detected?

By monitoring abnormal Deno execution and PowerShell chains.

Conclusion: A Shift Toward Trusted Tool Abuse

The DinDoor backdoor demonstrates a clear shift in modern cyberattacks:

Malware is no longer “installed”—it is executed through trusted software ecosystems

Key Takeaways:

  • Deno runtime is being abused as an execution layer
  • MSI installers remain a strong phishing vector
  • In-memory execution reduces detection opportunities
  • Behavioral monitoring is now essential

Organizations must evolve from signature-based defense to runtime behavior detection to counter these emerging threats.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *