Trust Me, I’m IT: Threat Actors Deliver Deno-Based Backdoor “DenoGate” via Microsoft Teams

Trust Me, I’m IT: Threat Actors Deliver Deno-Based Backdoor “DenoGate” via Microsoft Teams
In June 2026, eSentire TRU identified a Microsoft Teams phishing campaign in which attackers used email bombing and a fake IT helpdesk to trick a retail victim into installing the DenoGate backdoor. DenoGate uses Deno-based JavaScript modules to contact a CloudFront C2, gather host and network data, install persistence, and proxy TCP traffic. #DenoGate #eSentire #MicrosoftTeams #CloudFront

Keypoints

  • eSentire TRU observed a Microsoft Teams-based phishing campaign targeting a customer in the retail industry.
  • Attackers first used email bombing to overwhelm victims before posing as IT helpdesk staff in Microsoft Teams.
  • Victims were directed to download and execute a supposed patch, which was actually an archive containing the DenoGate backdoor.
  • DenoGate is a Deno-based backdoor made up of multiple JavaScript modules, including a loader, C2 handler, command executor, and TCP tunneler.
  • The malware communicates with a CloudFront-based command-and-control server over WebSockets and collects domain, username, computer name, and network information.
  • DenoGate supports persistence through the HKCU Run registry key and can open TCP connections on the victim host to act as a proxy.
  • TRU recommended restricting external Microsoft Teams messaging and requiring explicit approval for contacts from outside the organization.

MITRE Techniques

  • [T1566.002 ] Phishing: Spearphishing Link – Attackers delivered malicious instructions and links through Microsoft Teams to entice victims to download and run the fake patch (‘they sent malicious links containing step-by-step instructions guiding victims to download, unpack, and execute…’; ‘Victims were sent a link via Microsoft Teams’).
  • [T1114.001 ] Email Collection – Email bombing was used to flood victims’ inboxes as part of the initial social engineering chain (‘subscribed victims’ email addresses to numerous services, flooding their inboxes with spam’).
  • [T1219 ] Remote Access Software – The attackers used Microsoft Teams as a legitimate-looking remote communication channel to impersonate IT helpdesk personnel (‘posing as IT helpdesk via Microsoft Teams’).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The malware executed commands through cmd.exe to gather data, install persistence, and run arbitrary commands (‘cmd.exe /c “set && ipconfig /all && route print && tasklist”‘, ‘cmd.exe /c “reg add…”‘).
  • [T1547.001 ] Registry Run Keys / Startup Folder – DenoGate established persistence by creating a Run key entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (‘Persistence via HKCU Run key’).
  • [T1105 ] Ingress Tool Transfer – The payload was downloaded from an Amazon S3-hosted page and unpacked on the victim machine (‘sent victims Amazon S3 links to pages containing instructions to download, unpack, and execute the “patch”‘).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – DenoGate communicated with C2 over WebSockets and used local HTTP endpoints to relay traffic (‘maintains connection with a CloudFront-based C2 server via WebSocket’).
  • [T1090.001 ] Proxy: Internal Proxy – The backdoor could open TCP connections and use the compromised device as a proxy (‘allows threat actors to use the victim’s device as a proxy’).
  • [T1046 ] Network Service Discovery – The malware enumerated network configuration and running processes to fingerprint the host (‘set && ipconfig /all && route print && tasklist’).

Indicators of Compromise

  • [SHA-256 ] malicious archive containing the fake patch – ff5a477871a4b83e2b38e660f28ef998680dcb6ba21fddff3e3f66c04ffc3596
  • [File Name ] dropped archive and DenoGate components – patch01309.txt, app.js
  • [Command Line ] host reconnaissance and persistence actions – cmd.exe /c “set && ipconfig /all && route print && tasklist”, cmd.exe /c “reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” /v Deno_AutoRun …”
  • [URL ] command-and-control and delivery path – wss://d1mjrkjsk5qy13.cloudfront[.]net/api/connect, https://.s3.us-east-1.amazonaws.com/index.html?john.smith@&source=teams.lnk
  • [Domain Name ] C2 infrastructure – d1mjrkjsk5qy13.cloudfront[.]net, .company.onmicrosoft.com
  • [IP Address ] local service ports used by DenoGate modules – 127.0.0.1:10020, 127.0.0.1:10021, and 127.0.0.1:10022
  • [Command Line ] launching DenoGate via conhost and Deno – conhost.exe –headless –allow-run app.js


Read more: https://www.esentire.com/blog/trust-me-im-it-threat-actors-deliver-deno-based-backdoor-denogate-via-microsoft-teams