Deno Based RAT Deployed via Mailbombing and Microsoft Teams Vishing

Summary:

InfoGuard Labs documented a sophisticated social-engineering campaign in which threat actors used large-scale mailbombing to overwhelm employees, followed by Microsoft Teams voice-phishing (vishing) calls impersonating internal IT support. An employee was persuaded to download a malicious archive containing a modular Deno-based Remote Access Trojan (RAT). The malware used AWS CloudFront-hosted WebSocket command-and-control (C2) communications to execute commands, maintain persistence, and pivot within the network. The attack bypassed active endpoint detection, triggering alerts only during subsequent reconnaissance activities. This campaign forms part of a broader surge in Microsoft Teams-based social-engineering activity, with a significant increase in suspicious Teams messages targeting UAE and MENA organizations between May 2025 and May 2026.

Technical Description:

The Deno-based RAT is a four-component modular implant that exploits the Deno JavaScript runtime’s web APIs to build a microservice-like architecture on the infected host using local loopback HTTP servers. The launcher script starts three child Deno processes running simultaneously: a main backdoor module, a local proxy/tunnelling module, and an auxiliary helper module. The main backdoor connects to an AWS CloudFront-hosted WebSocket C2 endpoint, registers the victim's identity metadata (hostname, username, and operating system details), receives commands from the operator, and proxies traffic via local loopback HTTP APIs to the helper services.

Each module requests only the specific Deno permissions it requires (network, file system, or subprocess), effectively abusing Deno’s permission model in reverse. Rather than improving security, this modular design reduces the cross-module attack surface presented to detection tools and limits the impact of any single component being flagged.

The proxy/tunnelling module exposes a local SOCKS5 or TCP proxy server on the loopback interface, allowing the attacker to route traffic through the victim’s internal network connection via the C2 WebSocket channel. This TCP tunnelling capability enables reconnaissance and lateral movement against internal resources that are not externally accessible, including internal web applications, RDP hosts, file shares, and Active Directory infrastructure.

The malicious archive file was named with a non-standard extension (patch09913.b) but was a valid Windows-extractable archive compatible with the Windows native tar utility, enabling it to bypass file-extension-based filtering at both the email and endpoint layers. The payload was delivered through a convincing fake self-service portal webpage that mimicked legitimate enterprise IT support workflows.

The CloudFront-hosted C2 infrastructure makes network-layer detection particularly difficult, as outbound HTTPS connections to CloudFront domains are common in enterprise environments and blend naturally into legitimate traffic baselines. InfoGuard Labs confirmed that an active EDR product was running on the compromised host but did not alert on the C2 channel or malware implant, detecting only downstream LDAP and certificate reconnaissance activity.

Delivery and Infection Chain:

The Deno RAT campaign operates across three simultaneous layers: email-channel disruption, voice-channel social engineering, and payload delivery through a fake web portal. Key confirmed TTPs observed during the documented intrusion are as follows:

  • The attacker floods the victim’s inbox with a high volume of spam, subscription confirmations, and password-reset emails. This creates immediate confusion and a sense of urgency, ensuring the victim is distracted when the attacker follows up with “help.”
  • A fake IT support actor uses a newly created Microsoft 365/Entra tenant and Microsoft Teams voice calls to impersonate internal helpdesk staff. The real-time audio interaction and familiar Teams interface significantly increase perceived legitimacy and victim trust.
  • The victim is directed to a convincing fake IT support portal that mimics enterprise helpdesk workflows. They are instructed to download and extract patch09913.b using the native Windows tar utility, helping the attacker bypass common file-type-based filtering controls.
  • The extracted files launch multiple Deno runtime processes. One establishes a WebSocket-based command-and-control connection via AWS CloudFront, another creates a SOCKS5 proxy for internal traffic tunnelling, and a helper module manages internal communication between components.
  • The proxy module enables attackers to route traffic into the internal network, supporting reconnaissance activities such as LDAP queries and system discovery. This access can be used for lateral movement and data exfiltration through the CloudFront-hosted C2 channel.

Technical Capabilities:

The Deno-based RAT is notable for abusing Deno’s permission model by splitting its functionality into multiple JavaScript modules, each requesting only minimal permissions such as network, file system, or subprocess access. This reduces suspicious permission patterns and helps evade detection by making each component appear benign in isolation.

For command-and-control, the malware uses AWS CloudFront, a widely trusted content delivery network commonly used in enterprise environments. Because HTTPS traffic to CloudFront domains is common in enterprise environments, malicious communications can blend into legitimate network traffic. The use of WebSockets over HTTPS further helps maintain persistent C2 sessions while mimicking standard web application traffic.

Internally, the malware employs a loopback-based microservice architecture, where modules communicate through local HTTP APIs instead of traditional inter-process communication mechanisms. This design mirrors modern software engineering practices, making the malware’s internal structure less obvious to tools that rely on process-tree analysis or IPC monitoring.

The malware also includes TCP tunnelling capabilities, enabling attackers to route traffic through the infected machine into internal networks. In poorly segmented environments, this facilitates lateral movement and effectively turns a single compromised endpoint into a pivot point for broader network access.

Attribution and Evolution:

The Deno RAT campaign reported by InfoGuard Labs is not currently attributed to a specific threat actor. However, its mailbombing-followed-by-vishing-and-RAT-deployment pattern aligns with tactics observed in 2025–2026 campaigns linked to Black Basta affiliates and the Chaos ransomware ecosystem.

Similar Microsoft Teams-based social-engineering operations have been observed by eSentire, often leveraging disposable Microsoft 365 tenants, newly registered domains, and bulletproof hosting providers. Some infrastructure has been reused across multiple targets, suggesting shared tooling, services, or operator overlap.

Similar techniques have also been observed in espionage campaigns attributed to MuddyWater, indicating that Teams-based IT-support impersonation is now being leveraged by both cybercriminal and state-aligned actors. This makes it an actively evolving threat pattern rather than an activity associated with a single group.

Active Campaign and Geographic Spread:

Teams-based vishing campaigns are global in scope and target any organisation using Microsoft Teams with external communication enabled. eSentire recorded 1,540 suspicious external Teams messages across 172 environments over a 12-month period, demonstrating large-scale and geographically diverse activity.

A nearly eightfold spike in February 2026 suggests coordinated multi-operator campaigns. UAE and MENA organisations are within the potential target set due to widespread Microsoft Teams adoption and the presence of default external federation settings in many tenants.

Because these attacks rely on social engineering rather than technical exploitation, any user with external Teams access can be targeted regardless of location, industry, or security posture.

Conclusion:

The Deno RAT campaign combines common social-engineering techniques, including mailbombing and vishing, with a JavaScript-based malware framework leveraging the Deno runtime to evade EDR and network-based detection controls. This activity aligns with a broader trend of Microsoft Teams-based vishing campaigns.

eSentire recorded 1,540 suspicious external Teams messages across 172 environments in a single year, including a nearly eightfold increase during February 2026, indicating sustained and large-scale malicious activity. UAE and MENA organisations should treat unsolicited external Teams calls as high risk, restrict external Teams access wherever possible, and train employees to recognise mailbombing-and-vishing attack patterns.

Impact:

A successful Deno RAT deployment grants the attacker an interactive, authenticated foothold inside the corporate network via TCP tunneling, enabling reconnaissance against Active Directory, credential harvesting from internal systems, lateral movement to additional hosts, and exfiltration of sensitive data. The EDR bypass characteristic of this campaign means the initial compromise may go undetected for an extended period if not caught at the social engineering or network layer. For UAE and MENA organisations, a confirmed compromise via this campaign vector could result in significant data exfiltration, business disruption, and potential progression to ransomware deployment or persistent espionage access. UAE PDPL breach notification obligations and NCA ECC incident reporting requirements apply to organisations experiencing confirmed intrusions. The identity-first nature of this attack exploiting an employee’s trust rather than any software vulnerability means there is no patch available; the remediation is entirely defensive process and awareness-based.

IOC and Context Details:

Topics Details
Tactic Name Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control
Technique Name Mailbombing for Disruption, Microsoft Teams Vishing / IT Support Impersonation, Deno-based Modular Remote Access Trojan (RAT), TCP Tunneling for Internal Network Pivoting, CloudFront-hosted WebSocket Command and Control
Sub Technique Name Mailbombing (inbox flooding) → Microsoft Teams vishing call from an IT support-themed external tenant → Victim redirected to a fake self-service portal → Download of patch09913.b archive → Deno launcher executes three child processes → WebSocket C2 established through an AWS CloudFront endpoint → TCP tunnel created for internal network pivoting → Active Directory reconnaissance, lateral movement, and data exfiltration.
Attack Type Vulnerability
Targeted Applications Microsoft Windows (Deno runtime host), Microsoft Teams (vishing delivery channel), Microsoft Defender (confirmed EDR bypass), AWS CloudFront (Command and Control hosting), Active Directory (post-exploitation reconnaissance target).
Region Impacted Global
Industry Impacted Enterprise and Government organizations, particularly environments with Microsoft Teams external federation enabled; including Technology, Financial Services, Legal, Government, and Healthcare sectors.
IOC's N/A
CVE N/A

Recommended Actions:

  • Restrict or disable external Microsoft Teams federation for inbound communications with unknown external organisations. In Microsoft Teams Admin Center, configure external access to allow only trusted partner domains rather than permitting all external organisations. This is the single most effective preventive control against the Teams-vishing initial access vector.
  • Deliver targeted user-awareness training specifically covering the mailbombing-then-vishing attack pattern. Train employees to recognise that a burst of inbox spam followed immediately by a Teams call offering assistance is a known attack sequence, not a coincidence. Establish a verified internal IT contact protocol requiring all support requests to be validated through approved internal channels before any remote access or file download is permitted.
  • Block the Deno runtime (deno.exe) from executing in corporate environments unless explicitly required for approved development workflows. Add Deno to application-control policies as a blocked executable for standard user endpoints. Review endpoint-security policies to ensure uncommon JavaScript runtime environments are subject to execution restrictions.
  • Configure Microsoft Teams to display prominent external-sender warnings and enforce ‘Block and Report’ functionality for users receiving unexpected external communications. Ensure Microsoft Teams First Contact warning banners are enabled and visible. Consider integrating Microsoft Defender for Office 365 with Teams to provide additional inline threat detection.
  • Implement web-proxy and DNS-filtering rules to alert on or block downloads of non-standard archive file extensions (such as .b, .dat, and .tmp) and monitor for archive extraction using the Windows native tar utility from user download directories, as this behaviour is uncommon in enterprise environments and represents a strong early indicator of compromise.
  • Monitor email telemetry for mailbombing indicators, such as large bursts of inbound subscription-confirmation, password-reset, or newsletter emails delivered to a single mailbox within a short period. Correlate these events with Microsoft Teams external-contact creation events (ChatCreated) occurring within the same timeframe, as this correlation represents a high-confidence indicator of a Teams-based vishing attempt.
  • Hunt for Deno-related process execution (deno.exe and child processes spawned by deno.exe) in endpoint telemetry, particularly when parent processes include browser or file-explorer activity, indicating user-initiated execution from a downloaded archive. Configure SIEM alerts for LDAP-enumeration activity or certificate-service queries originating from non-IT workstations, as these were among the earliest post-compromise indicators observed.
  • Establish and communicate a formal IT-support verification procedure. Legitimate helpdesk personnel should never request that employees download files from external portals or execute archives as part of a support workflow. Any such request, regardless of whether it arrives via Teams, email, or telephone, should be treated as a social-engineering attempt and reported immediately to the security team.

Reference:

https://labs.infoguard.ch/posts/anatomy_deno_rat/

https://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat

https://www.microsoft.com/en-us/security/blog/2026/04/18/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook/

https://gbhackers.com/microsoft-teams-phishing-surge/