DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers
Essential information
- Published
- 23/04/2026 14:16
- Modified
- 27/04/2026 14:52
- Tags
- 2026-04-23 caddy proxy castleloader deno runtime tsundere botnet
- Related entities
- 20 observables, 1 intrusion sets (apt), 18 techniques (mitre), 5 malware, 18 others
Description
DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.