Threats Tagged 'tsundere botnet'

DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.

MediumMalwareUnited StatesRussia#castleloader#deno runtime#caddy proxy

Iranian intelligence services are increasingly engaging with the cyber crime ecosystem, leveraging criminal tools, services, and operational models to support state objectives. This trend is particularly evident among actors linked to the Ministry of Intelligence and Security (MOIS), such as Void Manticore and MuddyWater. These actors are not merely imitating criminal behavior but actively associating with the cyber criminal ecosystem, using its infrastructure, malware, and affiliate-style relationships. This approach enhances their operational capabilities, complicates attribution, and contributes to confusion around Iranian threat activity. Examples include the use of ransomware branding, commercial infostealers, and overlaps with criminal malware clusters. This shift from imitation to active engagement with cyber crime offers both improved deniability and expanded technical capabilities for Iranian actors.

MediumMalwareUnited StatesUnited KingdomIsrael+7#castleloader#muddywater#tsundere botnet