DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers
DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.
AI Analysis
Technical Summary
DinDoor is a Deno runtime-based backdoor distributed via MSI installers. It executes obfuscated JavaScript code to perform command and control communications and system fingerprinting, generating unique victim identifiers. Two analyzed samples show different execution approaches: disk-based JavaScript writing and in-memory execution. The malware infrastructure includes 20 active C2 servers identified through HTTP header analysis, many hosted on bulletproof hosting providers and employing Caddy proxy with identifiable headers. The domain serialmenot[.]com is part of a multi-tenant infrastructure used by multiple threat actors, including the MuddyWater group. The malware's use of the Deno runtime and obfuscated JavaScript represents a novel approach to persistence and C2 communication.
Potential Impact
DinDoor enables attackers to maintain persistent command and control over compromised systems, perform system fingerprinting to uniquely identify victims, and potentially execute arbitrary commands via the Deno runtime. The use of multi-tenant infrastructure and bulletproof hosting complicates takedown efforts and attribution. Although no active exploitation in the wild is currently reported, the presence of multiple active C2 servers indicates ongoing malicious campaigns. The malware's obfuscation and in-memory execution techniques may hinder detection and forensic analysis.
Mitigation Recommendations
No official patch or remediation guidance is currently available for DinDoor. Since it is delivered via MSI files, organizations should implement strict controls on software installation and execution policies, including application whitelisting and monitoring for unusual use of the Deno runtime. Network defenders can leverage detection of distinctive Caddy proxy HTTP headers associated with the malware's C2 infrastructure for network-based detection and blocking. Regular threat intelligence updates and monitoring for indicators related to serialmenot[.]com and associated C2 servers are recommended. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Indicators of Compromise
- domain: ineracaspsl.site
- domain: serialmenot.com
- domain: justtalken.com
- domain: hngfbgfbfb.cyou
- hash: 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
- hash: 5c057af2f358fc10107d5ccdb39938ad
- hash: e2e8516b4f275e8c636620b7377ee3b9f9f47bb0
- domain: agilemast3r.duckdns.org
- domain: grafana.healthydefinitetrunk.com
- hash: 7b793c54a927da36649eb62b9481d5bcf1e9220035d95bbfb85f44a6cc9541ae
- ip: 138.124.240.76
- ip: 138.124.240.77
- ip: 178.16.52.191
- ip: 185.218.19.117
- ip: 192.109.200.151
- ip: 193.233.82.43
- ip: 193.24.123.25
- ip: 194.48.141.192
- ip: 199.217.99.189
- ip: 199.91.220.142
- ip: 199.91.220.216
- ip: 2.26.117.169
- ip: 2.27.122.16
- ip: 209.99.189.170
- ip: 45.135.180.200
- ip: 45.151.106.88
- ip: 85.192.27.152
- url: http://serialmenot.com/mv2/
- domain: aeeracaspsl.site
- domain: annaionovna.com
- domain: bitatits.surf
- domain: generalnewlong.com
- domain: ilspaeysoff.site
- domain: landmas.info
- domain: myspaeysoff.site
- domain: bandage.healthydefinitetrunk.com
- domain: surgery.healthydefinitetrunk.com
- hash: 6d56ec35c1bb1e44a8d6ee201845aa05
- hash: 197fb8bf3d6064a9f3272b8222cab6d5cf4f24de
DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers
Description
DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
DinDoor is a Deno runtime-based backdoor distributed via MSI installers. It executes obfuscated JavaScript code to perform command and control communications and system fingerprinting, generating unique victim identifiers. Two analyzed samples show different execution approaches: disk-based JavaScript writing and in-memory execution. The malware infrastructure includes 20 active C2 servers identified through HTTP header analysis, many hosted on bulletproof hosting providers and employing Caddy proxy with identifiable headers. The domain serialmenot[.]com is part of a multi-tenant infrastructure used by multiple threat actors, including the MuddyWater group. The malware's use of the Deno runtime and obfuscated JavaScript represents a novel approach to persistence and C2 communication.
Potential Impact
DinDoor enables attackers to maintain persistent command and control over compromised systems, perform system fingerprinting to uniquely identify victims, and potentially execute arbitrary commands via the Deno runtime. The use of multi-tenant infrastructure and bulletproof hosting complicates takedown efforts and attribution. Although no active exploitation in the wild is currently reported, the presence of multiple active C2 servers indicates ongoing malicious campaigns. The malware's obfuscation and in-memory execution techniques may hinder detection and forensic analysis.
Mitigation Recommendations
No official patch or remediation guidance is currently available for DinDoor. Since it is delivered via MSI files, organizations should implement strict controls on software installation and execution policies, including application whitelisting and monitoring for unusual use of the Deno runtime. Network defenders can leverage detection of distinctive Caddy proxy HTTP headers associated with the malware's C2 infrastructure for network-based detection and blocking. Regular threat intelligence updates and monitoring for indicators related to serialmenot[.]com and associated C2 servers are recommended. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis"]
- Adversary
- MuddyWater
- Pulse Id
- 69ea29a2df2a3f26872b6e15
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainineracaspsl.site | — | |
domainserialmenot.com | — | |
domainjusttalken.com | — | |
domainhngfbgfbfb.cyou | — | |
domainagilemast3r.duckdns.org | — | |
domaingrafana.healthydefinitetrunk.com | — | |
domainaeeracaspsl.site | — | |
domainannaionovna.com | — | |
domainbitatits.surf | — | |
domaingeneralnewlong.com | — | |
domainilspaeysoff.site | — | |
domainlandmas.info | — | |
domainmyspaeysoff.site | — | |
domainbandage.healthydefinitetrunk.com | — | |
domainsurgery.healthydefinitetrunk.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 | — | |
hash5c057af2f358fc10107d5ccdb39938ad | — | |
hashe2e8516b4f275e8c636620b7377ee3b9f9f47bb0 | — | |
hash7b793c54a927da36649eb62b9481d5bcf1e9220035d95bbfb85f44a6cc9541ae | — | |
hash6d56ec35c1bb1e44a8d6ee201845aa05 | — | |
hash197fb8bf3d6064a9f3272b8222cab6d5cf4f24de | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip138.124.240.76 | — | |
ip138.124.240.77 | — | |
ip178.16.52.191 | — | |
ip185.218.19.117 | — | |
ip192.109.200.151 | — | |
ip193.233.82.43 | — | |
ip193.24.123.25 | — | |
ip194.48.141.192 | — | |
ip199.217.99.189 | — | |
ip199.91.220.142 | — | |
ip199.91.220.216 | — | |
ip2.26.117.169 | — | |
ip2.27.122.16 | — | |
ip209.99.189.170 | — | |
ip45.135.180.200 | — | |
ip45.151.106.88 | — | |
ip85.192.27.152 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://serialmenot.com/mv2/ | — |
Threat ID: 69eb361f87115cfb680ef893
Added to database: 4/24/2026, 9:21:35 AM
Last enriched: 5/26/2026, 7:53:46 PM
Last updated: 6/9/2026, 2:08:21 PM
Views: 136
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.