DinDoor Backdoor and Deno RAT Distributed via Fake AI Software Installers on GitHub and SourceForge
June 1st, 2026
High
Our Cyber Threat Intelligence Unit is monitoring an active malware campaign that distributes a Deno-based backdoor and a remote access trojan (RAT) via fake software installers hosted on attacker-controlled and compromised GitHub and SourceForge repositories. Malwarebytes has identified that the campaign targets content creators, gamers, AI enthusiasts, and technical users by impersonating popular applications such as ChatGPT, Claude, AutoTune, Ableton Live, Kontakt, and ZENOLOGY on GitHub, and GearUP and BWR on SourceForge. The malware operates in two stages: the first, DinDoor, is a Deno-based backdoor that establishes persistence, profiles the system, and downloads additional payloads. The second, a Deno-based RAT known as "Smokest," allows full remote access, including command execution, credential and browser data theft, cryptocurrency wallet harvesting, and live screen streaming using Microsoft Edge and WebRTC. Compromised YouTube channels that use AI-generated videos are used to direct victims to malicious repositories. These videos have accumulated more than 50,000 combined views. The campaign remains active, with attackers continuously rotating GitHub accounts and repository infrastructure to sustain distribution and avoid platform enforcement.
Technical Details
Threat Type: Social engineering-driven malware distribution / Backdoor and RAT deployment
Severity: High
Affected Systems: Windows endpoints running Microsoft Edge, Scoop, WinGet, and the Deno runtime; developer and general end-user environments
Threat Actor: Unknown; code similarities and shared infrastructure between DinDoor and the Deno RAT suggest a common developer or team
Attack Chain
Malicious Repository Distribution:
Attackers maintain fake repositories on GitHub and SourceForge impersonating legitimate software, including ChatGPT, Claude, AutoTune, Ableton Live, Kontakt, and ZENOLOGY (GitHub) and GearUP and BWR (SourceForge).
Compromised YouTube channels publish AI-generated promotional videos directing victims to these repositories.
User Execution / Initial Access: Victims are instructed to open a terminal (Command Prompt, PowerShell, or Windows Terminal) and paste a supplied command that downloads and executes a malicious MSI installer or PowerShell script from attacker-controlled GitHub infrastructure.
MSI Payload Deployment:
The MSI installs silently and drops a CMD launcher script and a PowerShell script into a randomly generated directory.
The CMD file executes the PowerShell script to continue the infection chain.
Environment Preparation:
The PowerShell script installs the Scoop package manager if absent, uses Scoop to install WinGet, and installs the Deno JavaScript runtime via WinGet or Scoop.
This approach avoids embedding suspicious binaries directly in the initial payload.
DinDoor Backdoor Deployment:
The Deno runtime executes DinDoor, fetched directly from a remote C2 server and run in memory via standard input without being written to disk.
DinDoor establishes persistence through a registry Run key that re-executes the launcher on system startup, collects system information, and retrieves additional payloads from the C2.
Deno RAT Deployment:
DinDoor delivers the Deno-based RAT ("Smokest"), which communicates with the C2 over HTTP and WebSocket.
The RAT supports arbitrary command and PowerShell execution, file management, screenshot capture, process launch and termination, SOCKS5 proxy tunneling over WebSocket, and full bidirectional interactive control through a custom VNC implementation.
Its built-in stealer module targets credentials and session data from Chromium-based browsers including Chrome, Chromium, Brave, Edge, Avast Browser, Opera, Vivaldi, CentBrowser, Kometa, Orbitum, 360Browser, and Chromodo, as well as Telegram, Discord, and Lightcord.
The RAT also targets more than 50 cryptocurrency wallet extensions and 10 wallet application folders, including Atomic Wallet, Exodus, Electrum, and ByteCoin.
Peer-to-Peer Screen Streaming via Edge Abuse:
The RAT spawns a hidden Microsoft Edge process and connects to it via the Chrome DevTools Protocol (CDP).
A WebRTC HTML page is injected into Edge, which relays H.264-encoded screen captures from the Deno agent directly to the attacker's browser over an encrypted WebRTC DataChannel, with SDP and ICE signaling exchanged through the existing C2 WebSocket.
Because the traffic originates from a legitimate browser process, network and endpoint detection visibility may be reduced.
C2 Evasion via Cloudflare Workers: A lightweight variant designated "agent-lite" uses Cloudflare Workers as intermediary C2 infrastructure, concealing attacker-controlled endpoints behind legitimate cloud-hosted services and complicating network-based attribution and blocking.
Impact
Organizations in developer, gaming, AI tooling, cryptocurrency, and creative software communities are at elevated risk due to the abuse of trusted platforms for malware delivery.
Successful compromise can result in full remote control of affected endpoints, including arbitrary command execution, file manipulation, process management, and deployment of additional payloads through legitimate package managers.
The RAT's stealer module targets credentials and session data across a broad range of Chromium-based browsers as well as Telegram, Discord, and Lightcord, creating significant risk of account takeover and credential abuse across enterprise and personal services.
Dedicated cryptocurrency wallet theft functionality targeting more than 50 browser extensions and 10 desktop wallet applications, including Atomic Wallet, Exodus, Electrum, and ByteCoin, poses direct financial risk to organizations and individuals handling digital assets.
The use of Microsoft Edge processes and Cloudflare Workers infrastructure for C2 communication reduces detection visibility and increases the likelihood of prolonged attacker persistence, lateral movement, and internal reconnaissance.
Public disclosure of infections linked to trusted software distribution platforms may carry additional reputational, regulatory, and incident response costs.
Detection Method
Monitor for Deno runtime installations initiated via Scoop or WinGet outside known developer workflows or authorized software deployment processes.
Detect MSI installations executed from command prompts or PowerShell scripts, particularly those referencing GitHub or SourceForge download paths.
Analyze PowerShell execution logs for bypass flags (-ExecutionPolicy Bypass, -WindowStyle Hidden) combined with file download activity and process spawning.
Monitor for the creation of registry Run keys referencing Deno executables or appdata-resident JavaScript files, which indicate DinDoor persistence activity.
Identify unexpected Microsoft Edge instances launched without corresponding user activity, particularly hidden processes spawned by non-browser parent processes.
Detect WebRTC traffic, WebSocket connections, and CDP interactions originating from Edge processes not associated with user-initiated browsing sessions.
Monitor for Base64-encoded authorization token values in outbound HTTP headers, consistent with the RAT's C2 configuration delivery mechanism.
Review network traffic for outbound connections to .workers.dev domains from endpoints where no legitimate Cloudflare Workers usage is expected.
Monitor for SOCKS5 proxy tunnel establishment over WebSocket from endpoint processes.
Implement alerts for access to cryptocurrency wallet extension directories and application data folders by Deno or PowerShell processes.
Continuously monitor GitHub and SourceForge for repositories mimicking popular AI, gaming, and creative software, and implement alerts for end-user-initiated downloads from these platforms to managed endpoints.
Indicators of Compromise
Type | Indicator | Description |
URL | https[:]//github.com/claude-free-plugin/ | Malicious GitHub repository |
URL | https[:]//github.com/ai-gen-profi | Malicious GitHub repository |
URL | https[:]//github.com/wharfdemolisherpit | Malicious GitHub repository |
URL | https[:]//sourceforge.net/projects/gearup/ | Malicious SourceForge project |
URL | https[:]//sourceforge.net/projects/bluewaveremover/ | Malicious SourceForge project |
Domain� | claudescript[.]top | Distribution website |
Domain | ms-telemetry-gateway-us[.]com | C2 |
Domain | dakatawebstick[.]com | C2 |
Domain | ashpaltlonpro[.]com | C2 |
Domain | cf-proxy[.]cloud-analytics-services[.]workers.dev | C2 (Cloudflare Workers) |
Domain | agilemast3r[.]duckdns[.]org | C2 |
Domain | geralnewlong[.]com | C2 |
Domain | hngfbgfbfb[.]cyou | C2 |
Domain | logicalnewrestore[.]com | C2 |
IP Address | 23[.]227[.]196[.]107 | C2 |
IP Address | 45[.]137[.]99[.]121 | C2 |
IP Address | 31[.]57[.]129[.]23 | C2 |
IP Address | 66[.]78[.]40[.]107 | C2 |
IP Address | 193[.]233[.]198[.]132 | C2 |
Recommendations
Download software exclusively from official vendor websites. Do not execute installers or terminal commands sourced from GitHub, SourceForge, or similar third-party platforms unless publisher identity, repository age, and digital signature have been independently verified.
Restrict execution of PowerShell scripts and CMD files from untrusted sources. Enforce PowerShell constrained language mode or script block logging on managed endpoints where appropriate.
Implement application control policies to prevent unauthorized installation of package managers such as Scoop or runtime environments such as Deno outside approved developer environments.
Monitor and alert on Scoop and WinGet activity for unexpected software installations, with particular attention to Deno runtime deployments not aligned with known workflows.
Block or alert on outbound connections to .workers.dev domains and other Cloudflare Workers infrastructure where no legitimate business use is established.
Configure network controls to restrict unexpected WebSocket and WebRTC traffic from endpoints, particularly connections not associated with known browser sessions.
Deploy EDR detection rules for Deno processes executing remote JavaScript resources, Base64-encoded C2 authorization headers, and hidden Edge browser instances spawned by non-user processes.
Conduct user awareness training focused on the risks of copying and executing terminal commands from third-party repositories, including those hosted on reputable platforms.
Isolate any systems where DinDoor or the Deno RAT is identified and conduct full forensic review of browser credential stores, clipboard history, cryptocurrency wallet directories, and Run key persistence entries prior to remediation.
Block identified IOCs at network perimeter controls, DNS filtering solutions, and endpoint security tooling.
Conclusion
The DinDoor and Deno RAT campaign demonstrates increased abuse of trusted developer platforms and legitimate tools to deliver advanced multi-stage malware through social engineering. Threat actors use GitHub, SourceForge, Scoop, WinGet, and Microsoft Edge to build an infection chain that avoids traditional detection methods and reduces visibility across network and endpoint controls. Organizations should monitor for unusual Deno runtime activity, unauthorized use of package managers, and abnormal browser processes, and strengthen user awareness of the risks associated with third-party software distribution.