eSentire TRU disrupted a ClickFix-style infection chain in a finance customer environment that used an MSI installer and AI-generated PowerShell to deploy DinDoor, DenoRAT, and NightshadeC2. The campaign is attributed to TAG-150 and used Deno-based tooling, hard-coded JWTs, and in-memory loading to establish persistence, steal data, and execute NightshadeC2. #TAG150 #DinDoor #DenoRAT #NightshadeC2 #ClickFix
Keypoints
- TRU disrupted a malicious ClickFix-style command in a finance customerâs environment before the full payload chain completed.
- The attack began with a command executed through the Windows Run prompt, which downloaded and launched an MSI installer.
- A likely AI-generated PowerShell script installed the Deno runtime and executed DinDoor, a Deno-based loader.
- DinDoor and DenoRAT used a C2 server at webstizkgao[.]com, with registration and tasking controlled through hard-coded JWTs.
- DenoRAT acted as both a RAT and a loader, enabling system discovery, file operations, screenshot capture, VNC access, and browser credential or wallet theft.
- The final stage used a PowerShell task to download a Python-based loader that decrypted and executed NightshadeC2 in memory.
- The activity is associated with TAG-150, a threat group active since March 2025, and included attempts to bypass Chromium App-Bound Encryption.
MITRE Techniques
- [T1059.001 ] PowerShell â Used to download, install, and execute stages, including the ClickFix command and later payload-loading tasks. [âpowershell.exe -WindowStyle Hidden -Command âiex (wget -UseBasicParsing âŚ)ââ]
- [T1059.003 ] Windows Command Shell â Used for remote shell execution through cmd.exe /c in DenoRAT tasking. [âRemote shell, execute commands via cmd.exe /c â]
- [T1059.005 ] Visual Basic â Not mentioned.
- [T1059.006 ] Python â Used in the loader chain to decrypt and execute NightshadeC2 in memory. [âdownloaded a self-contained Python archive and reflective PE loader named install.pycâ]
- [T1027 ] Obfuscated Files or Information â Multiple stages were obfuscated with Obfuscator.io and likely AI-generated code. [âobfuscated via Obfuscator.ioâ, âThis stage was likely AI-generatedâ]
- [T1027.013 ] Encrypted Payloads â The NightshadeC2 container was decrypted before execution. [âdecrypts and executes NightshadeC2 in memoryâ, âAES-256-CBCâ]
- [T1218.007 ] Msiexec â MSI installer used to start the infection chain. [âThis leads to an MSI file being downloaded and executedâ]
- [T1055.001 ] Dynamic-link Library Injection â DenoRAT injected a C2-supplied DLL into Chromium-based browser processes. [âVirtualAllocEx, WriteProcessMemory, VirtualProtectEx, and CreateRemoteThreadâ]
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â Not mentioned.
- [T1547.001 ] Registry Run Keys / Startup Folder â Persistence was established via an HKCU Run key entry. [âcreating a new registry value in the HKCU Run keyâ]
- [T1105 ] Ingress Tool Transfer â Stages and payloads were fetched from remote C2 infrastructure. [âfetches launcher-2â, âdownloaded a self-contained Python archiveâ]
- [T1071.001 ] Web Protocols â C2 communication used HTTP, GET, POST, and WebSocket support. [âDenoRAT supports both WebSocket and HTTP pollingâ]
- [T1071.004 ] DNS â Not mentioned.
- [T1082 ] System Information Discovery â DenoRAT collected host details such as username, hostname, OS version, AV, and hardware info. [âSystem information collection and exfiltration to C2â]
- [T1113 ] Screen Capture â DenoRAT captured screenshots and exfiltrated them as JPEG. [âUses user32/gdi32 to capture a screenshotâ]
- [T1021.001 ] Remote Desktop Protocol â Not mentioned.
- [T1021.005 ] VNC â DenoRAT streamed the victim desktop and accepted mouse, keyboard, and clipboard input. [âvnc-start Stream the victimâs desktopâ]
- [T1056.001 ] Keylogging â Not mentioned.
- [T1041 ] Exfiltration Over C2 Channel â Stolen data, system info, and screenshots were sent back via the C2 endpoint. [âData exfil to C2â]
- [T1003 ] OS Credential Dumping â The stealer targeted browser credentials, cookies, and passwords. [âcookie, and credential theftâ]
- [T1112 ] Modify Registry â The malware wrote a new registry value to maintain persistence. [âSet-ItemProperty -Path ⌠-Name â1330705bâ]
Indicators of Compromise
- [Domain] Initial ClickFix download domain â columbnezhjdq[.]com
- [Domain] DenoRAT/DinDoor C2 domain â webstizkgao[.]com
- [Domain] NightshadeC2 dead-drop C2 domain â smallsmokik[.]com
- [URL] DenoRAT tasking/exfiltration endpoints â http://webstizkgao[.]com/message-event, http://webstizkgao[.]com/user
- [File hash SHA256] Script and payload hashes â 4ac3e1ecd2c4745f2e846ec7655b92234ee92068bffc7690c3f0184dc25c71da, ece42baaca7524460cc5ffc9ae94c2a634a67610decdd2bdc8f134c36fa2dd6c
- [File hash SHA256] DenoRAT/NightshadeC2 artifacts â 7682e9ac86ff47cc198812719ca54e169c3cb21ce584ad2a278a640f4833de46, 3dffe05d9cc49b2598d743301a8991965056d97bb8d429de461ed66c0dbde28b
- [File hash SHA256] Loader components â e0dd60bb3a409029988db6a10cb1e36586c2636da9eff3a3587bc38473fde54b, c2cdf1ecd6684bbcef0405444a570a76e9589bbd563476b08788bde34d83b511, a06d514a34d2ab08c3a13a58056827c50ba9bf01b68ca4b2cecb4e1462af53fa, fa0d1adb545881a2d8a508191961a9fd39485c4ac2a0f20ad8e2f931dc45c9ef
- [File hash SHA256] Encrypted NightshadeC2 container â b4fd836b82f2d8daf8b90a95046987e993e5687707fc57b527a8145d865e3fdc
- [File name] Encrypted payload container â 7sjVtn0zPVjMZzkxZ.MOa