Connects to any signal across any vendor stack and powers adaptive AI Operatives that expose, detect, and neutralize cyberattacks.
Atlas Operations CenterSee what our SOC sees, review investigations, and see how we are protecting your business.
Technology IntegrationsAtlas connects to any signal across your current security tools. Whatever you're running, we're running with you.
Extend your team with immediate expertise, hands-on remediation, and the human accountability layer that boards, regulators, and cyber insurers require.
Threat Response UnitProactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Response and RemediationPairs machine-speed containment with human judgment, delivering full threat response that's policy-bounded, reversible, and explainable.
MDR that moves first, multi-signal attack surface coverage, and 24/7 Elite threat hunters working as one continuous security program across any vendor stack.
Get unlimited Incident Response with threat suppression guarantee- anytime, anywhere.
Atlas Preempt deploys AI Operatives to continuously validate attack paths exposing attacker targets of opportunity before they take advantage.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level eSentire MDR
Next Level eSentire MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Identity ResponseStop identity-based cyberattacks.
Zero Day AttacksDetect and respond to zero-day exploits.
Cybersecurity ComplianceMeet regulatory compliance mandates.
Third-Party RiskDefend third-party and supply chain risk.
Cloud MisconfigurationEnd misconfigurations and policy violations.
Cyber RiskAdopt a risk-based security approach.
Mid-Market SecurityMid-market security essentials to prioritize.
Sensitive Data SecurityProtect your most sensitive data.
Cyber InsuranceMeet insurability requirements with MDR.
Cyber Threat IntelligenceOperationalize cyber threat intelligence.
Security LeadershipBuild a proven security program.
On July 1st, 2026, security researchers reported active exploitation of the Citrix NetScaler vulnerability CVE-2026-8451, having observed a threat actor successfully deliver the exploit…
Beginning on June 29th, 2026, eSentire’s Threat Response Unit (TRU) identified exploitation attempts targeting the critical Progress Kemp LoadMaster vulnerability CVE-2026-8037. The…
eSentire is a leader in Controlled Autonomy SecOps, protecting 2,000+ organizations across 35+ industries around the world. Founded in 2001, the company’s Controlled Autonomy SecOps operating model pairs agentic AI operatives with engineered human-judgment controls, delivering expert-depth security outcomes at machine speed without ceding accountability to opaque automation.
About Us Leadership Careers Event Calendar → Newsroom → Aston Villa Football Club →We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Search our site
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
In June 2026, eSentire's Threat Response Unit (TRU) identified a Microsoft Teams-based phishing campaign targeting a customer in the Retail industry. Threat actors first bombarded victims with email spam before posing as IT helpdesk via Microsoft Teams.
Under this pretense, they sent malicious links containing step-by-step instructions guiding victims to download, unpack, and execute a Deno-based backdoor from the command prompt that TRU is tracking as "DenoGate", named for its ability to turn compromised machines into proxies, effectively opening a gateway into the victim's network.
Threat actors subscribed victims' email addresses to numerous services, flooding their inboxes with spam before promptly reaching out via Microsoft Teams where they posed as IT helpdesk and instructed victims to install a "patch" to resolve the issue. The so-called patch was an archive named patch01309.txt and contained the DenoGate backdoor.
In this process, threat actors used a lookalike Office 365 tenant to impersonate the victim organization's IT helpdesk, following the format shown below (where <REDACTED> represents the victim organization's redacted company name):
Posing as IT helpdesk, threat actors sent victims Amazon S3 links to pages containing instructions to download, unpack, and execute the "patch" (the DenoGate backdoor). A partially redacted URL identified during incident analysis is shown below.
The figure below illustrates an example notification a user sees when receiving an incoming call from an external Microsoft Teams account.

Extraction of the "patch" revealed the deno run-time (deno.exe) and several DenoGate-affiliated JavaScript files (covered in-depth later in this blog).

The attack chain begins with threat actors conducting Email Bombing attacks against victim email addresses, where victims receive large amounts of spam emails in a short period of time. This is followed by a Microsoft Teams message or call from the threat actor claiming to be part of the victim's IT helpdesk.
Victims were sent a link via Microsoft Teams and were instructed to download the "patch" file, open a command prompt, and execute a series of commands that ultimately unpacked and executed the DenoGate Backdoor.
The backdoor transmits the victim's domain name, computer name, and network information to the threat actors via WebSocket, supports further fingerprinting of the victim's network / host, and allows threat actors to use the victim's device as a proxy.

The DenoGate backdoor is composed of four files: the launcher (app.js), and three JavaScript files that run as local HTTP servers, and are described in the table below.
This module serves as the entrypoint for DenoGate. It is responsible for launching the core module, "back.js" via the following command line:

The figure below displays contents from the core module "back.js" and is responsible for establishing persistent communications with the CloudFront-based C2 server over websockets.
Upon establishing communications, it sends a version identifier "1.010.10.10" to the C2, followed by the victim fingerprint information: domain name, username, computer name, and a randomly generated, unique identifier.


HTTP POST requests to the local HTTP server run by this module serve to relay TCP socket responses (e.g. received from the webui.js module) back to the C2. The callback method, handleRequest, is shown in the figure below.

JSON-encoded messages from the C2 contain base64-encoded command data within the event.data attribute. The onMessage handler base64-decodes this data, parses the resulting JSON, and passes it to processCmd for processing. Attributes that can appear in this data are described in the following table.
The module "helper.js" is the command handler and runs as an HTTP server on port 10022. It provides a single endpoint "/exec" and launches Windows Command Prompt with specified arguments. This is used by the "back.js" module in collecting the victim's network information and installation/uninstallation of the persistence registry value "Deno_AutoRun".

The final module, "webui.js" is the TCP socket manager and runs as an HTTP server on port 10021 like the other modules. It provides three endpoints:

The table below lists Indicators of Compromise for the DenoGate backdoor.
To learn how eSentire can help you find exposures and defend your organization, connect with an eSentire Security Specialist now.
GET STARTEDThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.