Anatomy of an Attack

In early 2026, the Iranian state sponsored group MuddyWater, launched a series of cyber operations across the Middle East and North America. Targeted entities included a U.S. financial institution, a Canadian non-governmental organization, and an Israeli branch of a U.S. software firm linked to the aerospace and defense sectors. The campaign marked the debut of a previously undocumented backdoor named DINDOOR, a tool that supports a tactical pivot toward utilizing specialized developer runtimes to bypass conventional security telemetry.

The Attack: DINDOOR Campaign Phases

MuddyWater executes its operations through a calculated sequence designed to build trust and evade detection of standard security tools. The attack typically proceeds through the following stages:

Phase 1: Initial Access

Leveraging human trust, the malware was distributed through spearphishing [T1566.002] or drive-by-download tactics. These campaigns lured victims to download and execute a malicious MSI installer, which subsequently triggered the deployment of additional payloads, including the DINDOOR backdoor. To evade detection and appear legitimate, the malware was digitally signed [T1553.002] under the identities ‘Amy Cherne’ or ‘Donald Gay’. The identity, ‘Donald Gay’, has been used to sign other malware attributed to MuddyWater.

Phase 2: Execution and Runtime Loading 

PowerShell scripts are dropped following the execution of the MSI installer [T1204.002], such as Juliet_widget15.ps1. The script runs in the background, avoiding user visibility, and downloads deno.exe, a JavaScript runtime, if it is not present on the host. It then uses Deno to execute a JavaScript payload containing DINDOOR. Deno enables the attackers to either leverage a JavaScript file on the host or a PowerShell script running in memory to execute DINDOOR. The use of deno.exe gives the attacker flexibility to either pull the malware directly into memory, bypassing file on disk scanning, or executing from a file.

Phase 3: Establishing Persistence 

When  the JavaScript payloads execute, it attempts to open a TCP listener on 127.0.0.1 to prevent re-infection. To ensure it remains on the system following a reboot, the backdoor builds persistence through the scheduled tasks.

Phase 4: Command and Control (C2) 

Before communicating to its C2 server, a unique identifier is constructed for the victim host to append to every C2 request. Initial communication is established by sending a GET request to the '/health' endpoint on an attacker-controlled server, utilizing a three-second timeout period. Once a successful response is received, the malware communicates over HTTP port 80  [T1071.001] and performs heartbeats back to its C2 server.

Phase 5: Data Exfiltration 

After successfully establishing a foothold, the attackers transition to their goal of espionage and data theft. In one instance, the actors attempted to exfiltrate data to a Wasabi cloud storage bucket [T1567.002] using the Rclone utility. Historically, Muddywater has also employed go-socks proxy tunnels for exfiltration techniques.,

The Adversary’s Playbook: The MITRE ATT&CK TTP Table

ExtraHop NDR: Detection and Response

When an adversary operates within a trusted runtime like Deno and uses legitimate cloud providers for exfiltration, they effectively navigate around the visibility of endpoint agents. While endpoint tools might see a legitimate process, the network remains a high-fidelity source of truth capable of identifying the technical manifestation of these activities. ExtraHop RevealX provides the deep visibility required to detect the DINDOOR attack chain at multiple stages.

By providing broad visibility into the network protocol layer, RevealX identifies the initial spearphishing URI request and network heuristics generated by scheduled tasks or other DINDOOR associated persistence mechanisms in real time. This visibility allows security teams to break the infection chain before the Rclone utility completes data exfiltration to unauthorized cloud storage. It offers critical defense in depth against threats that exploit trusted developer runtimes to hide their footprint.

ExtraHop RevealX detects the DINDOOR backdoor because the malware's reliance on the Deno runtime and C2 beaconing generates anomalous network patterns that cannot be hidden by subverting local endpoint logs. By analyzing traffic at the network level, defenders can identify malicious intent regardless of the legitimacy of the process initiating the connection.

Conclusion and Recommendations

Technical Takeaways

The DINDOOR campaign reveals these tactics:

• EDR Evasion: Using code signed Deno runtimes allows DINDOOR to operate outside traditional behavioral watchlists.
• Minimal Footprint: Malware modules are pulled directly into memory, bypassing file on disk scanning.
• Subverted Trust: Fraudulent certificates for identities like Amy Cherne mask malicious loaders as trusted software.
• Cloud Mimicry: Rclone blends data exfiltration with standard HTTPS cloud synchronization traffic.

Recommended Response

To mitigate the threat of DINDOOR, implement these technical strategies:

• Audit Developer Tools: Hunt for deno.exe with powershell.exe or cmd.exe as parents or requests to deno.land.
• Monitor RPC Traffic: Detect mass scheduled task creation via the DCE/RPC protocol to identify lateral movement.
• Verify Signatures: Hunt for files signed by fictitious identities such as Amy Cherne or Donald Gay.
• Validate Cloud Storage: Use Layer 7 visibility to identify and block unauthorized Wasabi usage.
• Identify C2 Patterns: Monitor for GET /health requests with 3 second timeouts and "ok" body responses.
• Alert on Phishing: Flag unusual executable downloads or internal senders distributing high volumes of links.

Sources of Data on DINDOOR

• Security.com: https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us 
• The Hacker News: https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html 
• Rescana: https://www.rescana.com/post/muddywater-s-dindoor-backdoor-iranian-apt-targets-u-s-organizations-via-deno-runtime-and-cloud-sto 
• Cyberwarrior76: https://cyberwarrior76.substack.com/p/irans-muddywater-just-dropped-two 
• Hunt.io: https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis#Network_Infrastructure 
• Exchange.xforce.ibmcloud: https://exchange.xforce.ibmcloud.com/malware-analysis/guid:9ff5708cc60846bea98b8807c16bccc7 

Learn More About ExtraHop

The network usually tells the story that logs and endpoints often miss. If you want to see how this actually works in practice, or if you're just curious about how your own environment holds up, there are a few ways we can help:

• See it in action: We can jump on a quick call to show you how RevealX NDR picks up on the TTPs used in the DINDOOR backdoor campaign.
• Check your blind spots: We offer a simple network security assessment to help you find out if there’s activity moving sideways through your environment that your current tools aren't catching.
• Your experts speak with our experts: If you have specific questions your team can spend time with ours.

Click HERE to schedule your time with us and learn more about ExtraHop RevealX NDR.