DinDoor, DenoRAT, and NightshadeC2: Analyzing TAG-150’s Evolving Tradecraft

DinDoor, DenoRAT, and NightshadeC2: Analyzing TAG-150’s Evolving Tradecraft
eSentire TRU disrupted a ClickFix-style infection chain in a finance customer environment that used an MSI installer and AI-generated PowerShell to deploy DinDoor, DenoRAT, and NightshadeC2. The campaign is attributed to TAG-150 and used Deno-based tooling, hard-coded JWTs, and in-memory loading to establish persistence, steal data, and execute NightshadeC2. #TAG150 #DinDoor #DenoRAT #NightshadeC2 #ClickFix

Keypoints

  • TRU disrupted a malicious ClickFix-style command in a finance customer’s environment before the full payload chain completed.
  • The attack began with a command executed through the Windows Run prompt, which downloaded and launched an MSI installer.
  • A likely AI-generated PowerShell script installed the Deno runtime and executed DinDoor, a Deno-based loader.
  • DinDoor and DenoRAT used a C2 server at webstizkgao[.]com, with registration and tasking controlled through hard-coded JWTs.
  • DenoRAT acted as both a RAT and a loader, enabling system discovery, file operations, screenshot capture, VNC access, and browser credential or wallet theft.
  • The final stage used a PowerShell task to download a Python-based loader that decrypted and executed NightshadeC2 in memory.
  • The activity is associated with TAG-150, a threat group active since March 2025, and included attempts to bypass Chromium App-Bound Encryption.

MITRE Techniques

  • [T1059.001 ] PowerShell – Used to download, install, and execute stages, including the ClickFix command and later payload-loading tasks. [‘powershell.exe -WindowStyle Hidden -Command “iex (wget -UseBasicParsing …)”‘]
  • [T1059.003 ] Windows Command Shell – Used for remote shell execution through cmd.exe /c in DenoRAT tasking. [‘Remote shell, execute commands via cmd.exe /c ‘]
  • [T1059.005 ] Visual Basic – Not mentioned.
  • [T1059.006 ] Python – Used in the loader chain to decrypt and execute NightshadeC2 in memory. [‘downloaded a self-contained Python archive and reflective PE loader named install.pyc’]
  • [T1027 ] Obfuscated Files or Information – Multiple stages were obfuscated with Obfuscator.io and likely AI-generated code. [‘obfuscated via Obfuscator.io’, ‘This stage was likely AI-generated’]
  • [T1027.013 ] Encrypted Payloads – The NightshadeC2 container was decrypted before execution. [‘decrypts and executes NightshadeC2 in memory’, ‘AES-256-CBC’]
  • [T1218.007 ] Msiexec – MSI installer used to start the infection chain. [‘This leads to an MSI file being downloaded and executed’]
  • [T1055.001 ] Dynamic-link Library Injection – DenoRAT injected a C2-supplied DLL into Chromium-based browser processes. [‘VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, and CreateRemoteThread’]
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Not mentioned.
  • [T1547.001 ] Registry Run Keys / Startup Folder – Persistence was established via an HKCU Run key entry. [‘creating a new registry value in the HKCU Run key’]
  • [T1105 ] Ingress Tool Transfer – Stages and payloads were fetched from remote C2 infrastructure. [‘fetches launcher-2’, ‘downloaded a self-contained Python archive’]
  • [T1071.001 ] Web Protocols – C2 communication used HTTP, GET, POST, and WebSocket support. [‘DenoRAT supports both WebSocket and HTTP polling’]
  • [T1071.004 ] DNS – Not mentioned.
  • [T1082 ] System Information Discovery – DenoRAT collected host details such as username, hostname, OS version, AV, and hardware info. [‘System information collection and exfiltration to C2’]
  • [T1113 ] Screen Capture – DenoRAT captured screenshots and exfiltrated them as JPEG. [‘Uses user32/gdi32 to capture a screenshot’]
  • [T1021.001 ] Remote Desktop Protocol – Not mentioned.
  • [T1021.005 ] VNC – DenoRAT streamed the victim desktop and accepted mouse, keyboard, and clipboard input. [‘vnc-start Stream the victim’s desktop’]
  • [T1056.001 ] Keylogging – Not mentioned.
  • [T1041 ] Exfiltration Over C2 Channel – Stolen data, system info, and screenshots were sent back via the C2 endpoint. [‘Data exfil to C2’]
  • [T1003 ] OS Credential Dumping – The stealer targeted browser credentials, cookies, and passwords. [‘cookie, and credential theft’]
  • [T1112 ] Modify Registry – The malware wrote a new registry value to maintain persistence. [‘Set-ItemProperty -Path … -Name ‘1330705b”]

Indicators of Compromise

  • [Domain] Initial ClickFix download domain – columbnezhjdq[.]com
  • [Domain] DenoRAT/DinDoor C2 domain – webstizkgao[.]com
  • [Domain] NightshadeC2 dead-drop C2 domain – smallsmokik[.]com
  • [URL] DenoRAT tasking/exfiltration endpoints – http://webstizkgao[.]com/message-event, http://webstizkgao[.]com/user
  • [File hash SHA256] Script and payload hashes – 4ac3e1ecd2c4745f2e846ec7655b92234ee92068bffc7690c3f0184dc25c71da, ece42baaca7524460cc5ffc9ae94c2a634a67610decdd2bdc8f134c36fa2dd6c
  • [File hash SHA256] DenoRAT/NightshadeC2 artifacts – 7682e9ac86ff47cc198812719ca54e169c3cb21ce584ad2a278a640f4833de46, 3dffe05d9cc49b2598d743301a8991965056d97bb8d429de461ed66c0dbde28b
  • [File hash SHA256] Loader components – e0dd60bb3a409029988db6a10cb1e36586c2636da9eff3a3587bc38473fde54b, c2cdf1ecd6684bbcef0405444a570a76e9589bbd563476b08788bde34d83b511, a06d514a34d2ab08c3a13a58056827c50ba9bf01b68ca4b2cecb4e1462af53fa, fa0d1adb545881a2d8a508191961a9fd39485c4ac2a0f20ad8e2f931dc45c9ef
  • [File hash SHA256] Encrypted NightshadeC2 container – b4fd836b82f2d8daf8b90a95046987e993e5687707fc57b527a8145d865e3fdc
  • [File name] Encrypted payload container – 7sjVtn0zPVjMZzkxZ.MOa


Read more: https://www.esentire.com/blog/dindoor-denorat-and-nightshadec2-analyzing-tag-150s-evolving-tradecraft