Pulse Detail — Threat Intelligence

PULSE NAME

DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers

WHITE MuddyWater AlienVault 2026-04-23 Modified: 2026-04-24

IOCs

MEDIUM VOLUME

DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1033 T1059.007 T1497.001 T1082 T1140 T1016 T1090 T1204 T1057 T1059.001 T1566 T1571 T1027 T1573 T1518.001 T1132 T1071.001 T1105

MALWARE FAMILIES

DinDoor Tsundere Botnet CastleLoader CastleRAT ChainShell

Indicators of Compromise (39)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	5c057af2f358fc10107d5ccdb39938ad	—	2026-04-23
FileHash-MD5	6d56ec35c1bb1e44a8d6ee201845aa05	—	2026-04-23
FileHash-SHA1	197fb8bf3d6064a9f3272b8222cab6d5cf4f24de	—	2026-04-23
FileHash-SHA1	e2e8516b4f275e8c636620b7377ee3b9f9f47bb0	—	2026-04-23
FileHash-SHA256	2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5	—	2026-04-23
FileHash-SHA256	7b793c54a927da36649eb62b9481d5bcf1e9220035d95bbfb85f44a6cc9541ae	—	2026-04-23
IPv4	138.124.240.76	—	2026-04-23
IPv4	138.124.240.77	—	2026-04-23
IPv4	178.16.52.191	—	2026-04-23
IPv4	185.218.19.117	—	2026-04-23
IPv4	192.109.200.151	—	2026-04-23
IPv4	193.233.82.43	—	2026-04-23
IPv4	193.24.123.25	—	2026-04-23
IPv4	194.48.141.192	—	2026-04-23
IPv4	199.217.99.189	—	2026-04-23
IPv4	199.91.220.142	—	2026-04-23
IPv4	199.91.220.216	—	2026-04-23
IPv4	2.26.117.169	—	2026-04-23
IPv4	2.27.122.16	—	2026-04-23
IPv4	209.99.189.170	—	2026-04-23
IPv4	45.135.180.200	—	2026-04-23
IPv4	45.151.106.88	—	2026-04-23
IPv4	85.192.27.152	—	2026-04-23
URL	http://serialmenot.com/mv2/	—	2026-04-23
domain	aeeracaspsl.site	—	2026-04-23
domain	annaionovna.com	—	2026-04-23
domain	bitatits.surf	—	2026-04-23
domain	generalnewlong.com	—	2026-04-23
domain	hngfbgfbfb.cyou	—	2026-04-23
domain	ilspaeysoff.site	—	2026-04-23
domain	ineracaspsl.site	—	2026-04-23
domain	justtalken.com	—	2026-04-23
domain	landmas.info	—	2026-04-23
domain	myspaeysoff.site	—	2026-04-23
domain	serialmenot.com	—	2026-04-23
hostname	agilemast3r.duckdns.org	—	2026-04-23
hostname	bandage.healthydefinitetrunk.com	—	2026-04-23
hostname	grafana.healthydefinitetrunk.com	—	2026-04-23
hostname	surgery.healthydefinitetrunk.com	—	2026-04-23

References (1)

↗ https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis