DinDoor malware emerges

A backdoor called DinDoor is hiding inside normal Windows installers and the Deno programming runtime, giving attackers a quieter way into corporate networks. (hunt.io) Deno is a legitimate tool developers use to run JavaScript and TypeScript outside a browser, much like Node.js. Hunt.io said DinDoor abuses that trusted runtime instead of dropping a conventional compiled malware file. (hunt.io) The delivery method is a Windows MSI installer, the same package format many companies use for software deployment. Researchers said DinDoor samples arrived through phishing or drive-by downloads, then fetched Deno from the legitimate `dl.deno.land` service to execute attacker code. (hunt.io) Hunt.io published its analysis on April 21, 2026 and said one of its queries identified 20 active command-and-control servers at the time of publication. The firm examined two MSI samples and said both used obfuscated JavaScript to fingerprint infected machines, contact remote servers, and pull follow-on payloads. (hunt.io) Broadcom’s Symantec and Carbon Black threat team had already named Dindoor in March 2026 while tracking Iranian group Seedworm, also known as MuddyWater. Broadcom said it found the backdoor on the Israeli branch of a software supplier, a U.S. bank, and a Canadian nonprofit. (security.com) In that Broadcom report, the wider intrusion set also touched a U.S. airport and other organizations through a second backdoor called Fakeset. The software company involved served defense and aerospace customers, and Broadcom said its Israel operation appeared to be the main target in that case. (security.com) Researchers describe this as “bring your own runtime”: instead of relying on PowerShell or Python, attackers bring in a signed tool that may already be allowed in developer environments. Hunt.io said that creates a gap in networks tuned to watch PowerShell, Python, or Node.js activity more closely than Deno. (hunt.io) The MSI packaging matters for the same reason. Windows Installer files are common in enterprise software rollouts, and Broadcom has separately documented years of malware abuse of MSI packages because they can launch code during installation while looking routine to users and administrators. (broadcom.com) Hunt.io said one DinDoor sample, `installer_v1.21.66.msi`, carried a hardcoded JSON Web Token in its command-and-control address, exposing campaign metadata including the domain `serialmenot[.]com`. The researchers said the two samples shared the same victim-identification logic but differed in execution behavior, suggesting multiple variants under the same malware family. (hunt.io) The immediate takeaway for defenders is narrower than “block Deno.” The reports point to watching MSI child processes, unexpected downloads of developer runtimes on non-developer systems, and outbound traffic from Deno processes to unfamiliar servers, because DinDoor works by making malicious activity look like ordinary software setup. (hunt.io)