InfoGuard Labs documented a sophisticated social-engineering campaign in which threat actors used large-scale mailbombing to overwhelm employees, followed by Microsoft Teams voice-phishing (vishing) calls impersonating internal IT support. An employee was persuaded to download a malicious archive containing a modular Deno-based Remote Access Trojan (RAT). The malware used AWS CloudFront-hosted WebSocket command-and-control (C2) communications to execute commands, maintain persistence, and pivot within the network. The attack bypassed active endpoint detection, triggering alerts only during subsequent reconnaissance activities. This campaign forms part of a broader surge in Microsoft Teams-based social-engineering activity, with a significant increase in suspicious Teams messages targeting UAE and MENA organizations between May 2025 and May 2026.
The Deno-based RAT is a four-component modular implant that exploits the Deno JavaScript runtime’s web APIs to build a microservice-like architecture on the infected host using local loopback HTTP servers. The launcher script starts three child Deno processes running simultaneously: a main backdoor module, a local proxy/tunnelling module, and an auxiliary helper module. The main backdoor connects to an AWS CloudFront-hosted WebSocket C2 endpoint, registers the victim's identity metadata (hostname, username, and operating system details), receives commands from the operator, and proxies traffic via local loopback HTTP APIs to the helper services.
Each module requests only the specific Deno permissions it requires (network, file system, or subprocess), effectively abusing Deno’s permission model in reverse. Rather than improving security, this modular design reduces the cross-module attack surface presented to detection tools and limits the impact of any single component being flagged.
The proxy/tunnelling module exposes a local SOCKS5 or TCP proxy server on the loopback interface, allowing the attacker to route traffic through the victim’s internal network connection via the C2 WebSocket channel. This TCP tunnelling capability enables reconnaissance and lateral movement against internal resources that are not externally accessible, including internal web applications, RDP hosts, file shares, and Active Directory infrastructure.
The malicious archive file was named with a non-standard extension (patch09913.b) but was a valid Windows-extractable archive compatible with the Windows native tar utility, enabling it to bypass file-extension-based filtering at both the email and endpoint layers. The payload was delivered through a convincing fake self-service portal webpage that mimicked legitimate enterprise IT support workflows.
The CloudFront-hosted C2 infrastructure makes network-layer detection particularly difficult, as outbound HTTPS connections to CloudFront domains are common in enterprise environments and blend naturally into legitimate traffic baselines. InfoGuard Labs confirmed that an active EDR product was running on the compromised host but did not alert on the C2 channel or malware implant, detecting only downstream LDAP and certificate reconnaissance activity.
Delivery and Infection Chain:
The Deno RAT campaign operates across three simultaneous layers: email-channel disruption, voice-channel social engineering, and payload delivery through a fake web portal. Key confirmed TTPs observed during the documented intrusion are as follows:
Technical Capabilities:
The Deno-based RAT is notable for abusing Deno’s permission model by splitting its functionality into multiple JavaScript modules, each requesting only minimal permissions such as network, file system, or subprocess access. This reduces suspicious permission patterns and helps evade detection by making each component appear benign in isolation.
For command-and-control, the malware uses AWS CloudFront, a widely trusted content delivery network commonly used in enterprise environments. Because HTTPS traffic to CloudFront domains is common in enterprise environments, malicious communications can blend into legitimate network traffic. The use of WebSockets over HTTPS further helps maintain persistent C2 sessions while mimicking standard web application traffic.
Internally, the malware employs a loopback-based microservice architecture, where modules communicate through local HTTP APIs instead of traditional inter-process communication mechanisms. This design mirrors modern software engineering practices, making the malware’s internal structure less obvious to tools that rely on process-tree analysis or IPC monitoring.
The malware also includes TCP tunnelling capabilities, enabling attackers to route traffic through the infected machine into internal networks. In poorly segmented environments, this facilitates lateral movement and effectively turns a single compromised endpoint into a pivot point for broader network access.
Attribution and Evolution:
The Deno RAT campaign reported by InfoGuard Labs is not currently attributed to a specific threat actor. However, its mailbombing-followed-by-vishing-and-RAT-deployment pattern aligns with tactics observed in 2025–2026 campaigns linked to Black Basta affiliates and the Chaos ransomware ecosystem.
Similar Microsoft Teams-based social-engineering operations have been observed by eSentire, often leveraging disposable Microsoft 365 tenants, newly registered domains, and bulletproof hosting providers. Some infrastructure has been reused across multiple targets, suggesting shared tooling, services, or operator overlap.
Similar techniques have also been observed in espionage campaigns attributed to MuddyWater, indicating that Teams-based IT-support impersonation is now being leveraged by both cybercriminal and state-aligned actors. This makes it an actively evolving threat pattern rather than an activity associated with a single group.
Active Campaign and Geographic Spread:
Teams-based vishing campaigns are global in scope and target any organisation using Microsoft Teams with external communication enabled. eSentire recorded 1,540 suspicious external Teams messages across 172 environments over a 12-month period, demonstrating large-scale and geographically diverse activity.
A nearly eightfold spike in February 2026 suggests coordinated multi-operator campaigns. UAE and MENA organisations are within the potential target set due to widespread Microsoft Teams adoption and the presence of default external federation settings in many tenants.
Because these attacks rely on social engineering rather than technical exploitation, any user with external Teams access can be targeted regardless of location, industry, or security posture.
Conclusion:
The Deno RAT campaign combines common social-engineering techniques, including mailbombing and vishing, with a JavaScript-based malware framework leveraging the Deno runtime to evade EDR and network-based detection controls. This activity aligns with a broader trend of Microsoft Teams-based vishing campaigns.
eSentire recorded 1,540 suspicious external Teams messages across 172 environments in a single year, including a nearly eightfold increase during February 2026, indicating sustained and large-scale malicious activity. UAE and MENA organisations should treat unsolicited external Teams calls as high risk, restrict external Teams access wherever possible, and train employees to recognise mailbombing-and-vishing attack patterns.
A successful Deno RAT deployment grants the attacker an interactive, authenticated foothold inside the corporate network via TCP tunneling, enabling reconnaissance against Active Directory, credential harvesting from internal systems, lateral movement to additional hosts, and exfiltration of sensitive data. The EDR bypass characteristic of this campaign means the initial compromise may go undetected for an extended period if not caught at the social engineering or network layer. For UAE and MENA organisations, a confirmed compromise via this campaign vector could result in significant data exfiltration, business disruption, and potential progression to ransomware deployment or persistent espionage access. UAE PDPL breach notification obligations and NCA ECC incident reporting requirements apply to organisations experiencing confirmed intrusions. The identity-first nature of this attack exploiting an employee’s trust rather than any software vulnerability means there is no patch available; the remediation is entirely defensive process and awareness-based.