Fake Software on GitHub and SourceForge Distributes Deno-Based DinDoor RAT
Malwarebytes uncovers a campaign using fake installers for ChatGPT, Claude, and other software on GitHub and SourceForge to deliver the DinDoor RAT, which leverages the Deno runtime for stealth.

Malwarebytes researchers have identified a widespread malware campaign that distributes fake installers for popular software such as ChatGPT, Claude, AutoTune, and Kontakt through GitHub and SourceForge repositories. The malicious packages deliver a Deno-based backdoor called DinDoor, which ultimately deploys a remote access Trojan (RAT) capable of data exfiltration from browsers and cryptocurrency wallets.
The infection chain begins with compromised YouTube channels that promote fake software, directing viewers to malicious GitHub or SourceForge repositories. These repositories host MSI files or PowerShell scripts that, when executed, install the Deno JavaScript runtime via package managers like Scoop or WinGet. Deno is then used to execute the DinDoor RAT, which features a peer-to-peer communication mechanism that hides malicious traffic through Microsoft Edge.
The campaign has accumulated over 50,000 video views, targeting creators, AI enthusiasts, gamers, and technically inclined users who are more likely to download unofficial tools or cracked software. The fake repositories often ask users to copy and run a command in the terminal, which downloads and executes the malicious MSI. Malwarebytes observed multiple repositories impersonating legitimate software, including ZENOLOGY, Ableton Live, and GearUP.
Once installed, the DinDoor RAT can execute additional payloads, steal credentials and session cookies from browsers, and exfiltrate data from cryptocurrency wallets. The use of Deno, an alternative JavaScript runtime, helps the malware evade traditional detection methods that focus on Node.js or PowerShell-based threats. This technique mirrors recent trends where attackers abuse Bun and Deno to bypass security controls.
Malwarebytes reported the malicious repositories to GitHub, which quickly removed them. However, attackers are expected to create new accounts and repositories to continue the campaign. Users are advised to download software only from official vendor websites, avoid cracked or unofficial versions, and carefully inspect repository profiles and file signatures before execution.
The DinDoor campaign highlights the growing abuse of legitimate development platforms like GitHub and SourceForge for malware distribution. By leveraging trusted infrastructure and alternative runtimes, attackers increase the credibility of their lures and reduce the likelihood of detection. Organizations and individuals should remain vigilant and implement strict download policies to mitigate such threats.
Malwarebytes reports that the campaign now also targets AutoTune, Kontakt, Ableton Live, and ZENOLOGY, and that compromised YouTube channels with AI-generated videos have accumulated over 50,000 views driving victims to the malicious repositories. The infection chain uses Scoop and WinGet to install the legitimate Deno runtime, which then fetches the DinDoor backdoor entirely in memory. The final payload is a Deno-based RAT (tracked as Smokest) that can stream live screen video via Microsoft Edge and Chrome DevTools Protocol, steal from over 50 cryptocurrency wallet extensions, and exfiltrate data from Chromium browsers, Telegram, and Discord.
Malwarebytes' latest report adds new technical depth to the DinDoor campaign, revealing that the RAT's video streaming capability hijacks a hidden Microsoft Edge process to stream live screen content peer-to-peer, bypassing central servers for stealth. The attackers also deployed a lighter variant called 'agent-lite' that routes C2 traffic through Cloudflare Workers for added anonymity. The campaign has expanded beyond AI chatbots to include fake game boosters like GearUP and AI watermark removers on SourceForge, with compromised YouTube channels using AI-generated videos to drive over 50,000 views to the malicious repositories.