Deno RAT Fake Downloads

Stephanie Adlam
Stephanie Adlam
5 Min Read
Fake software download trap distributing Deno RAT malware.
Fake software download trap distributing Deno RAT malware.

Fake software downloads on GitHub and SourceForge are being used to distribute DinDoor and a Deno-based remote access trojan. A threat-intelligence report published on May 26, 2026 says attackers are impersonating popular tools such as ChatGPT, Claude, AutoTune, Kontakt, ZENOLOGY, and Ableton Live, then pushing victims toward malicious MSI files or PowerShell launchers hosted on trusted-looking project pages [1].

The useful takeaway is not simply that a platform was abused. The campaign targets people who are already comfortable downloading community tools, plugins, cracked apps, or AI utilities. That makes the lure dangerous for creators, gamers, developers, and Windows users who may treat a repository or SourceForge project as safer than a random file-sharing link.

Who is affected

Users are most exposed when they follow software links from compromised YouTube channels, open a new or unfamiliar GitHub/SourceForge project, then run an MSI installer or a copied terminal command. The related YouTube videos had more than 50,000 total views at the time of the report [1].

The highest-risk cases are unofficial plugins, cracked paid software, “free” AI tools, game utilities, and developer helpers downloaded outside the vendor’s normal website. If one of those downloads ran recently, treat the machine as potentially compromised until it has been checked.

Attack clues to check

Clue Why it matters
New MSI or PowerShell launcher from a repository The reported chain commonly begins with MSI files or scripts downloaded from GitHub or SourceForge [1].
Unexpected Deno runtime on Windows DinDoor and the later RAT use Deno to run attacker-controlled JavaScript. Hunt.io also documented DinDoor samples that rely on Deno for execution and C2 communication [2].
Scoop or WinGet activity you did not initiate Researchers observed scripts installing package-manager components and Deno before fetching the next stage [1].
Suspicious browser, wallet, Telegram, Discord, clipboard, or screenshot access The delivered RAT can collect browser and wallet data, capture screenshots, modify clipboard content, execute commands, and proxy traffic [1].

What to do now

  1. Stop using the downloaded tool. Remove the installer and any extracted files, but keep the filename, path, source URL, and download time for review.
  2. Check whether Deno belongs on the PC. If you are not a developer who intentionally installed it, unexpected deno.exe activity is a serious signal.
  3. Review startup and persistence. Look for unusual Run keys, hidden PowerShell launches, strange folders under AppData, and recent MSI installation events.
  4. Scan the system before logging back in to sensitive accounts. Use Gridinsoft Anti-Malware for a second-opinion cleanup scan, and upload suspicious leftovers to the Gridinsoft Online Virus Scanner if you need to check a file or URL.
  5. Rotate exposed credentials from a clean device. Prioritize browser-saved passwords, crypto wallets, Telegram, Discord, email, developer tokens, and accounts used on the same Windows session.

This campaign sits in the same practical risk lane as recent fake-installer and repository-abuse stories. For more context, compare it with Gridinsoft coverage of Nimbus Manticore fake installers, fake Claude AI backdoor lures, and infostealer cleanup after game or mod downloads.

FAQ

Is GitHub or SourceForge unsafe?

No. The platforms are legitimate, but attackers can create convincing fake projects or abuse compromised accounts. Trust the software vendor and publisher history, not only the hosting domain.

What is DinDoor?

DinDoor is a Deno-based backdoor used as a loader and access tool. In this campaign it helps deliver additional malware, including a Deno-based RAT.

Should I delete Deno?

Only if you did not install it for legitimate development work. Unexpected Deno execution after a fake installer is a strong sign that the system needs malware triage.

A newer malspam example shows the same fake-download pattern: DesckVB RAT used an email attachment, redirect chain, ZIP file, and script loader before the remote-access payload ran.

For another recent example of trusted-looking utility downloads turning into a cleanup problem, see our CPU-Z and HWMonitor malware download guide, which focuses on the April 2026 CPUID compromise and what Windows users should check after exposure.

A similar fake-download pattern now appears around predictor and crypto-sniper tools; the Aviator Predictor malware analysis explains how staged stars, videos, and download counts can hide a clipboard clipper.

References

  1. Malwarebytes Threat Intelligence, “Fake software on GitHub and SourceForge distribute Deno RAT,” May 26, 2026.
  2. Hunt.io, “DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers,” April 2026. Analysis
Anti-Spyware Tips: 9 Ways to Prevent Spyware in 2026
Trojan:MSIL/ValleyRAT.GZD!MTB: Recurring CMD Alert Fix
Unofficial patch published for PrintNightmare vulnerability
Third-Party Data Breach: Meaning, Examples, and What to Do
Clop Operators Claim to Hack 130 Organizations Using GoAnywhere MFT Bug
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article 7-Zip CVE-2026-48095 patch guide illustration with an archive box and update shield. 7-Zip CVE-2026-48095 Fix
Next Article Microsoft account hijack recovery illustration with stolen browser session cookies. Microsoft Account Hacked? Scan Malware Before Password Reset
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?