Connects to any signal across any vendor stack and powers adaptive AI Operatives that expose, detect, and neutralize cyberattacks.
Atlas Operations CenterSee what our SOC sees, review investigations, and see how we are protecting your business.
Technology IntegrationsAtlas connects to any signal across your current security tools. Whatever you're running, we're running with you.
Extend your team with immediate expertise, hands-on remediation, and the human accountability layer that boards, regulators, and cyber insurers require.
Threat Response UnitProactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Response and RemediationPairs machine-speed containment with human judgment, delivering full threat response that's policy-bounded, reversible, and explainable.
MDR that moves first, multi-signal attack surface coverage, and 24/7 Elite threat hunters working as one continuous security program across any vendor stack.
Get unlimited Incident Response with threat suppression guarantee- anytime, anywhere.
Atlas Preempt deploys AI Operatives to continuously validate attack paths exposing attacker targets of opportunity before they take advantage.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level eSentire MDR
Next Level eSentire MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Identity ResponseStop identity-based cyberattacks.
Zero Day AttacksDetect and respond to zero-day exploits.
Cybersecurity ComplianceMeet regulatory compliance mandates.
Third-Party RiskDefend third-party and supply chain risk.
Cloud MisconfigurationEnd misconfigurations and policy violations.
Cyber RiskAdopt a risk-based security approach.
Mid-Market SecurityMid-market security essentials to prioritize.
Sensitive Data SecurityProtect your most sensitive data.
Cyber InsuranceMeet insurability requirements with MDR.
Cyber Threat IntelligenceOperationalize cyber threat intelligence.
Security LeadershipBuild a proven security program.
On July 14th, 2026, SonicWall disclosed two zero-day vulnerabilities impacting its Secure Mobile Access (SMA) 1000 series firewalls. The first vulnerability is CVE-2026-15409 (CVSS: 10), a…
On July 1st, 2026, security researchers reported active exploitation of the Citrix NetScaler vulnerability CVE-2026-8451, having observed a threat actor successfully deliver the exploit…
eSentire is a leader in Controlled Autonomy SecOps, protecting 2,000+ organizations across 35+ industries around the world. Founded in 2001, the company’s Controlled Autonomy SecOps operating model pairs agentic AI operatives with engineered human-judgment controls, delivering expert-depth security outcomes at machine speed without ceding accountability to opaque automation.
About Us Leadership Careers Event Calendar → Newsroom → Aston Villa Football Club →We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Search our site
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
In June 2026, eSentire's Threat Response Unit (TRU) disrupted a malicious ClickFix-style command in a Finance customer's environment. Further investigation found that the command installs DinDoor, a Deno-based loader, DenoRAT, a Deno-based Remote Access Trojan (RAT), and NightshadeC2, a sophisticated RAT and information stealer associated with TAG-150, a threat group active since March 2025.
The ClickFix command used in this attack is shown in the code snippet below. It is responsible for downloading and executing a Microsoft Installer (MSI) file that begins the infection process, ultimately leading to DinDoor, DenoRAT, and NightshadeC2.
The attack chain begins with a ClickFix-style social engineering lure that convinces the user to run a command from the Windows Run prompt. This leads to an MSI file being downloaded and executed, which writes and launches Griffin20.ps1. Griffin20.ps1 is an AI-generated PowerShell stage whose role is to ensure the Deno runtime is installed and launch Deno to retrieve and execute the next-stage launcher, DinDoor. DinDoor then leads to a stager, followed by DenoRAT, which ultimately loads NightshadeC2.

SHA256: 4ac3e1ecd2c4745f2e846ec7655b92234ee92068bffc7690c3f0184dc25c71da
This stage was likely AI-generated and is written to disk and executed by the MSI file shown in the attack diagram above. Its purpose is to install or locate Deno, then use it to fetch and run the next-stage (DinDoor).
The script first sets PowerShell's execution policy to RemoteSigned and adds the Scoop shims directory, %USERPROFILE%\scoop\shims, to PATH. If winget is missing, it installs Scoop if needed, then uses Scoop to install winget. It then attempts to install Deno with winget.
After installation, the script searches common paths for deno.exe. If Deno is not found, it falls back to installing Deno with Scoop. Once Deno is available, the script runs it with full permissions using deno run -A to fetch and execute the remote launcher:

The figure below shows the final section of Griffin20.ps1, where deno.exe is launched from its resolved absolute path. The script also includes likely AI-generated comments that provide insight into how the threat actor's backend generates stages, matching /v02<BUILD_ID>.js.

SHA256: ece42baaca7524460cc5ffc9ae94c2a634a67610decdd2bdc8f134c36fa2dd6c
DinDoor, also known internally as "launcher-1", is a tiny eval-loop that fetches launcher-2, which is responsible for C2 registration, persistence, and loading DenoRAT. It sends an asynchronous request to the C2 server, in this case, webstizkgao[.]com and executes the returned response (DenoRAT stager) via the eval() function.

SHA256: 7682e9ac86ff47cc198812719ca54e169c3cb21ce584ad2a278a640f4833de46
The DenoRAT stager, also known internally as, "launcher-2" is obfuscated via Obfuscator.io and is responsible for: establishing persistence, registering the infected host with the C2, and fetching/executing DenoRAT.
Persistence is established by fetching DinDoor (launcher-1) from the C2, writing it to disk, and creating a new registry value in the HKCU Run key through the following PowerShell command:

The figure below illustrates the GET request responsible for retrieving the DinDoor script (the same script covered in the previous section) that is written to disk and persisted with the aforementioned PowerShell command.

The annotated figure below illustrates communication with the C2, beginning with a GET request to the /user endpoint that includes a hard-coded JSON Web Token (JWT) for authorization purposes, along with the victim's username and hostname. The C2 then responds with an identifier used to retrieve the "main" payload (DenoRAT).

During the registration request to the C2, the script sends the following hard-coded JWT. Several fields within the token contain campaign-specific identifiers, likely used by the threat actors for campaign tracking in addition to authorization.
SHA256: 3dffe05d9cc49b2598d743301a8991965056d97bb8d429de461ed66c0dbde28b
DenoRAT, also known as "main" internally, is a sophisticated Remote Access Trojan (RAT) and information stealer comprised of more than 10,000 lines of Deno-JavaScript based code. It is often obfuscated using Obfuscator.io, a free JavaScript obfuscation service commonly abused by threat actors. Its low-level functionality is facilitated by Deno's Foreign Function Interface (FFI), which enables it to call user-mode Windows APIs from DLLs including kernel32.dll, user32.dll, and others.
DenoRAT supports both WebSocket and HTTP polling for communication with its C2 server. In this instance, DenoRAT uses HTTP, with the supported endpoints listed in the table below. Note, the /user endpoint is used specifically by the layer-2 stager, rather than by DenoRAT itself.
The figure below shows the C2's response with tasks for DenoRAT after it sends a GET request to the /message-event endpoint. Notably, the ps-exec task contains PowerShell that loads a Python-based shellcode loader that ultimately executes NightshadeC2. This script is covered in detail in the Loader section later in this blog.

To provide additional network-level context, the figure below shows the full PCAP view of the GET request and corresponding C2 response, including the tasks returned for processing.

In the next figure, the request/response is shown in DenoRAT's handling of the sysinfo task, where a comprehensive list of the victim's host information is transmitted to the C2 via POST request to the /message-event endpoint.

Task types handled by DenoRAT are described in the table below.
Similarly to the prior stage (launcher-2), a hard-coded JWT is transmitted in requests to the C2 for communication authorization purposes. It is almost identical to the token used in the previous stage, except the userNote field is absent and the iat / exp fields differ.
Although TRU did not observe this behavior, DenoRAT contains functionality to inject a C2-supplied DLL into Chromium-based browser processes to support App-Bound Encryption (ABE) bypass. Notably, the final payload in this attack was intended to deliver NightshadeC2, a fully featured stealer that handles ABE decryption itself, making this DenoRAT feature unnecessary in this instance.
To prepare for injection, it enumerates running processes matching the browser list below using the Windows APIs CreateToolhelp32Snapshot, Process32First, and Process32Next. Matching processes are then opened and terminated using OpenProcess and TerminateProcess.
After terminating browser processes, DenoRAT checks whether ESET is present on the host. If ESET is detected, the malware skips DLL injection entirely. This suggests the threat actors may have tested against AV/EDR products and found that ESET detects the process injection technique and/or the ABE bypass method.

Before injection, the malware creates a named pipe with CreateNamedPipeW to support inter-process communication with the injected DLL and starts the Chromium-based browser process in a suspended state via CreateProcessW with CREATE_SUSPENDED flag for the dwCreationFlags parameter.

DenoRAT creates named pipes that resemble legitimate Chrome or Edge named pipes, selecting the format based on the targeted browser process.

It then performs DLL injection [T1055.001] by allocating memory in the target browser process with VirtualAllocEx, writing the DLL with WriteProcessMemory, changing protections to PAGE_EXECUTE_READ via VirtualProtectEx, and starting execution via CreateRemoteThread.

The figure below displays the core injection routine. It begins by finding the offset to the C2-supplied DLL payload's Bootstrap export, likely indicating threat actors use the payload available in the open-source GitHub repository ChromElevator. The code uses VirtualAllocEx to allocate memory in the target process, WriteProcessMemory to copy the ChromElevator payload DLL and pipe name into the target process, VirtualProtectEx to change page permissions to executable, and CreateRemoteThread to execute the ChromElevator DLL.

In the fingerprinting process (sysinfo task), DenoRAT enumerates over a specific list of directories to identify installed Anti-Virus software.

The full list is shown in the table below.
The following table lists the browser extensions and corresponding extension IDs targeted by DenoRAT for exfiltration, including MFA authenticators, password managers, and cryptocurrency wallets.
DenoRAT includes a broad set of tasks that make up its loader functionality. TRU observed the malware's C2 return an exec-ps task after the victim registration request. This task contained PowerShell code that ultimately executes the NightshadeC2 RAT/infostealer in memory via a Python-based shellcode loader.
The beautified PowerShell is shown in the figure below, which is responsible for downloading a self-contained Python archive and reflective PE loader named install.pyc (pre-compiled via python 3.13.0, SHA256: e0dd60bb3a409029988db6a10cb1e36586c2636da9eff3a3587bc38473fde54b).

The contents of the decompiled "install.pyc" (SHA256: c2cdf1ecd6684bbcef0405444a570a76e9589bbd563476b08788bde34d83b511) are shown in the next figure. This script is simply a stager that decrypts and executes the next stage.

The figure below displays the Input/Output result in CyberChef after decrypting the prior stage's tomemexec bytes from RC4, yielding the core python script (SHA256: a06d514a34d2ab08c3a13a58056827c50ba9bf01b68ca4b2cecb4e1462af53fa) responsible for decrypting and executing NightshadeC2 in memory.

The next figure shows the beginning of the Python-based loader, annotated to highlight the shellcode entrypoint offset, the container file downloaded by the previously shown PowerShell stage containing the encrypted NightshadeC2 payload, the AES-256 key used to decrypt the container file, and the raw shellcode bytes.

The remainer of the loader performs the following functions:

The next figure shows the shellcode entrypoint, which accepts a single parameter from the Python loader containing the raw payload's base address. Notably, after reflective injection, the shellcode updates the current Python process's PEB.ImageBaseAddress field and the first loader data table entry to point to the payload's base address. It then resolves the payload's entrypoint and calls it, effectively transfering control to the mapped payload (NightshadeC2).

The shellcode loader uses the DJB2 hashing algorithm to resolve exports required for PE mapping, including VirtualAlloc, LoadLibrary, and VirtualProtect. It also uses DJB2 hashing to resolve imports during Import Address Table (IAT) fix-ups and to identify module base addresses.

The table below lists Indicators of Compromise for the full attack chain.
To learn how eSentire can help you find exposures and defend your organization, connect with an eSentire Security Specialist now.
GET STARTEDThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.