In June 2026, eSentire TRU identified a Microsoft Teams phishing campaign in which attackers used email bombing and a fake IT helpdesk to trick a retail victim into installing the DenoGate backdoor. DenoGate uses Deno-based JavaScript modules to contact a CloudFront C2, gather host and network data, install persistence, and proxy TCP traffic. #DenoGate #eSentire #MicrosoftTeams #CloudFront
Keypoints
- eSentire TRU observed a Microsoft Teams-based phishing campaign targeting a customer in the retail industry.
- Attackers first used email bombing to overwhelm victims before posing as IT helpdesk staff in Microsoft Teams.
- Victims were directed to download and execute a supposed patch, which was actually an archive containing the DenoGate backdoor.
- DenoGate is a Deno-based backdoor made up of multiple JavaScript modules, including a loader, C2 handler, command executor, and TCP tunneler.
- The malware communicates with a CloudFront-based command-and-control server over WebSockets and collects domain, username, computer name, and network information.
- DenoGate supports persistence through the HKCU Run registry key and can open TCP connections on the victim host to act as a proxy.
- TRU recommended restricting external Microsoft Teams messaging and requiring explicit approval for contacts from outside the organization.
MITRE Techniques
- [T1566.002 ] Phishing: Spearphishing Link â Attackers delivered malicious instructions and links through Microsoft Teams to entice victims to download and run the fake patch (âthey sent malicious links containing step-by-step instructions guiding victims to download, unpack, and executeâŚâ; âVictims were sent a link via Microsoft Teamsâ).
- [T1114.001 ] Email Collection â Email bombing was used to flood victimsâ inboxes as part of the initial social engineering chain (âsubscribed victimsâ email addresses to numerous services, flooding their inboxes with spamâ).
- [T1219 ] Remote Access Software â The attackers used Microsoft Teams as a legitimate-looking remote communication channel to impersonate IT helpdesk personnel (âposing as IT helpdesk via Microsoft Teamsâ).
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell â The malware executed commands through cmd.exe to gather data, install persistence, and run arbitrary commands (âcmd.exe /c âset && ipconfig /all && route print && tasklistââ, âcmd.exe /c âreg addâŚââ).
- [T1547.001 ] Registry Run Keys / Startup Folder â DenoGate established persistence by creating a Run key entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (âPersistence via HKCU Run keyâ).
- [T1105 ] Ingress Tool Transfer â The payload was downloaded from an Amazon S3-hosted page and unpacked on the victim machine (âsent victims Amazon S3 links to pages containing instructions to download, unpack, and execute the âpatchââ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â DenoGate communicated with C2 over WebSockets and used local HTTP endpoints to relay traffic (âmaintains connection with a CloudFront-based C2 server via WebSocketâ).
- [T1090.001 ] Proxy: Internal Proxy â The backdoor could open TCP connections and use the compromised device as a proxy (âallows threat actors to use the victimâs device as a proxyâ).
- [T1046 ] Network Service Discovery â The malware enumerated network configuration and running processes to fingerprint the host (âset && ipconfig /all && route print && tasklistâ).
Indicators of Compromise
- [SHA-256 ] malicious archive containing the fake patch â ff5a477871a4b83e2b38e660f28ef998680dcb6ba21fddff3e3f66c04ffc3596
- [File Name ] dropped archive and DenoGate components â patch01309.txt, app.js
- [Command Line ] host reconnaissance and persistence actions â cmd.exe /c âset && ipconfig /all && route print && tasklistâ, cmd.exe /c âreg add âHKCUSoftwareMicrosoftWindowsCurrentVersionRunâ /v Deno_AutoRun âŚâ
- [URL ] command-and-control and delivery path â wss://d1mjrkjsk5qy13.cloudfront[.]net/api/connect, https://.s3.us-east-1.amazonaws.com/index.html?john.smith@&source=teams.lnk
- [Domain Name ] C2 infrastructure â d1mjrkjsk5qy13.cloudfront[.]net, .company.onmicrosoft.com
- [IP Address ] local service ports used by DenoGate modules â 127.0.0.1:10020, 127.0.0.1:10021, and 127.0.0.1:10022
- [Command Line ] launching DenoGate via conhost and Deno â conhost.exe âheadless âallow-run app.js