Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing to Target Employees
A new Remote Access Trojan built on the Deno runtime is being delivered via mailbombing and fake Microsoft Teams calls impersonating IT support, evading endpoint detection.
A new strain of malware has emerged that combines two well-known social engineering tactics into one effective attack chain. Researchers at InfoGuard Labs have uncovered a Remote Access Trojan built on Deno, an unconventional JavaScript runtime, being deployed against employees through email flooding and fake Microsoft Teams calls. The attack overwhelms targets and then offers a false sense of rescue, turning trust into a weapon.
The attack begins with what professionals call mailbombing. Targeted employees receive hundreds of emails in a short period, flooding inboxes and creating panic. Once the victim is disoriented, an attacker calls them over Teams, posing as an IT support agent. It is a deliberate trap: the manufactured crisis creates the demand, and the attacker shows up as the solution.
Analysts at InfoGuard Labs, who investigated this intrusion firsthand, noted that the malware stood out not for its social engineering alone, but because of the unusual technical framework deployed. Instead of a traditional compiled implant, the attacker delivered a modular RAT built on Deno, a JavaScript and TypeScript runtime known for its security-first design. The implant was split across four JavaScript files, each handling a specific role while keeping the overall footprint low.
What makes this attack particularly concerning is that an active endpoint detection tool was present on the compromised machine and still failed to flag the malware during initial execution. Alerts only surfaced later when the attacker began follow-on activities like LDAP queries and certificate-related reconnaissance. This strongly suggests the malware was built with evasion in mind from the start.
The C2 server sat behind a CloudFront domain, helping disguise outbound traffic as contact with a legitimate content delivery network. All four JavaScript files were heavily obfuscated using a technique called string array shifting, where readable strings are replaced with scrambled arrays that only reconstruct at runtime. This defeats static analysis tools that scan for known URLs or command-line arguments.
Security teams can take practical steps to reduce exposure. Monitoring for Deno processes launched from user-writable directories, flagging external Teams calls during email surges, and enabling full Microsoft 365 audit logging are all important measures. The Teams impersonation event leaves a traceable record in the Unified Audit Log, and correlating that signal with mailbombing activity can provide an early warning before any malware executes.