DinDoor's Caddy Problem: How One HTTP Header Exposed 20 Active C2 Servers

    Monday, April 27, 2026 In: Threat Research Print

    Date: 04/27/2026

    Severity: High

    Summary

    DinDoor, a malware variant linked to the Tsundere botnet and associated with the Iranian APT group Seedworm(MuddyWater), leverages the Deno runtime to execute obfuscated JavaScript for command-and-control communication and victim fingerprinting. Delivered via MSI installers, it exploits gaps in monitoring for less commonly tracked runtimes. Analysis revealed that unique HTTP response characteristics could be used to identify active infrastructure, leading to the discovery of multiple C2 servers. The campaign highlights the growing abuse of trusted runtime environments and modular malware variants to evade detection and maintain persistent access. 

    Indicators of Compromise (IOC) List

    Domains/Urls

    hngfbgfbfb.cyou

    bandage.healthydefinitetrunk.com

    grafana.healthydefinitetrunk.com

    generalnewlong.com

    agilemast3r.duckdns.org

    justtalken.com

    annaionovna.com

    surgery.healthydefinitetrunk.com

    playerdragonbike.com

    weaplink.com

    ilspaeysoff.site

    ineracaspsl.site

    myspaeysoff.site

    aeeracaspsl.site

    bitatits.surf

    landmas.info

    IP Address

    138.124.240.76

    138.124.240.77

    140.82.18.48

    178.104.137.180

    192.109.200.151

    193.233.82.43

    194.48.141.192

    199.91.220.142

    199.91.220.216

    2.26.117.169

    2.27.122.16

    209.99.189.170

    45.135.180.200

    45.151.106.88

    178.16.52.191

    193.24.123.25

    199.217.99.189

    146.19.254.84

    185.218.19.117

    85.192.27.152

    Hash

    7b793c54a927da36649eb62b9481d5bcf1e9220035d95bbfb85f44a6cc9541ae

    2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "grafana.healthydefinitetrunk.com" or url like "grafana.healthydefinitetrunk.com" or siteurl like "grafana.healthydefinitetrunk.com" or domainname like "annaionovna.com" or url like "annaionovna.com" or siteurl like "annaionovna.com" or domainname like "aeeracaspsl.site" or url like "aeeracaspsl.site" or siteurl like "aeeracaspsl.site" or domainname like "myspaeysoff.site" or url like "myspaeysoff.site" or siteurl like "myspaeysoff.site" or domainname like "agilemast3r.duckdns.org" or url like "agilemast3r.duckdns.org" or siteurl like "agilemast3r.duckdns.org" or domainname like "landmas.info" or url like "landmas.info" or siteurl like "landmas.info" or domainname like "ineracaspsl.site" or url like "ineracaspsl.site" or siteurl like "ineracaspsl.site" or domainname like "weaplink.com" or url like "weaplink.com" or siteurl like "weaplink.com" or domainname like "bandage.healthydefinitetrunk.com" or url like "bandage.healthydefinitetrunk.com" or siteurl like "bandage.healthydefinitetrunk.com" or domainname like "ilspaeysoff.site" or url like "ilspaeysoff.site" or siteurl like "ilspaeysoff.site" or domainname like "hngfbgfbfb.cyou" or url like "hngfbgfbfb.cyou" or siteurl like "hngfbgfbfb.cyou" or domainname like "playerdragonbike.com" or url like "playerdragonbike.com" or siteurl like "playerdragonbike.com" or domainname like "justtalken.com" or url like "justtalken.com" or siteurl like "justtalken.com" or domainname like "bitatits.surf" or url like "bitatits.surf" or siteurl like "bitatits.surf" or domainname like "generalnewlong.com" or siteurl like "generalnewlong.com" or url like "generalnewlong.com" or domainname "surgery.healthydefinitetrunk.com" or siteurl like "surgery.healthydefinitetrunk.com" or url like "surgery.healthydefinitetrunk.com"

    Detection Query 2 :

    dstipaddress IN ("199.91.220.142","199.217.99.189","45.135.180.200","193.233.82.43","199.91.220.216","146.19.254.84","178.104.137.180","138.124.240.76","138.124.240.77","192.109.200.151","2.26.117.169","140.82.18.48","193.24.123.25","178.16.52.191","85.192.27.152","45.151.106.88","2.27.122.16","209.99.189.170","185.218.19.117","194.48.141.192") or srcipaddress IN ("199.91.220.142","199.217.99.189","45.135.180.200","193.233.82.43","199.91.220.216","146.19.254.84","178.104.137.180","138.124.240.76","138.124.240.77","192.109.200.151","2.26.117.169","140.82.18.48","193.24.123.25","178.16.52.191","85.192.27.152","45.151.106.88","2.27.122.16","209.99.189.170","185.218.19.117","194.48.141.192")

    Detection Query 3 :

    sha256hash IN ("2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5","7b793c54a927da36649eb62b9481d5bcf1e9220035d95bbfb85f44a6cc9541ae")

    Reference:    

    https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis#Indicators_of_Compromise                  


    Tags

    MalwareThreat ActorAPTBotnetIranObfuscationMuddyWaterExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.