Threat Response Unit

Trust Me, I'm IT: Threat Actors Deliver Deno-Based Backdoor "DenoGate" via Microsoft Teams

eSentire Threat Response Unit (TRU)

July 2, 2026

8 MINS READ

What did we find?

In June 2026, eSentire's Threat Response Unit (TRU) identified a Microsoft Teams-based phishing campaign targeting a customer in the Retail industry. Threat actors first bombarded victims with email spam before posing as IT helpdesk via Microsoft Teams.

Under this pretense, they sent malicious links containing step-by-step instructions guiding victims to download, unpack, and execute a Deno-based backdoor from the command prompt that TRU is tracking as "DenoGate", named for its ability to turn compromised machines into proxies, effectively opening a gateway into the victim's network.

Initial Access

Threat actors subscribed victims' email addresses to numerous services, flooding their inboxes with spam before promptly reaching out via Microsoft Teams where they posed as IT helpdesk and instructed victims to install a "patch" to resolve the issue. The so-called patch was an archive named patch01309.txt and contained the DenoGate backdoor.

In this process, threat actors used a lookalike Office 365 tenant to impersonate the victim organization's IT helpdesk, following the format shown below (where <REDACTED> represents the victim organization's redacted company name):

Posing as IT helpdesk, threat actors sent victims Amazon S3 links to pages containing instructions to download, unpack, and execute the "patch" (the DenoGate backdoor). A partially redacted URL identified during incident analysis is shown below.

The figure below illustrates an example notification a user sees when receiving an incoming call from an external Microsoft Teams account.

Figure 1 - Call from external Microsoft Teams account
Figure 1 - Call from external Microsoft Teams account

Extraction of the "patch" revealed the deno run-time (deno.exe) and several DenoGate-affiliated JavaScript files (covered in-depth later in this blog).

Figure 2 - Directory listing of the extracted
Figure 2 - Directory listing of the extracted "patch" archive

Attack Chain

The attack chain begins with threat actors conducting Email Bombing attacks against victim email addresses, where victims receive large amounts of spam emails in a short period of time. This is followed by a Microsoft Teams message or call from the threat actor claiming to be part of the victim's IT helpdesk.

Victims were sent a link via Microsoft Teams and were instructed to download the "patch" file, open a command prompt, and execute a series of commands that ultimately unpacked and executed the DenoGate Backdoor.

The backdoor transmits the victim's domain name, computer name, and network information to the threat actors via WebSocket, supports further fingerprinting of the victim's network / host, and allows threat actors to use the victim's device as a proxy.

Figure 3 - Attack chain for Email Bombing -> IT Helpdesk -> DenoGate
Figure 3 - Attack chain for Email Bombing -> IT Helpdesk -> DenoGate

DenoGate Analysis

The DenoGate backdoor is composed of four files: the launcher (app.js), and three JavaScript files that run as local HTTP servers, and are described in the table below.

File NamePortDescription
app.jsN/ALaunches the core module "back.js"
back.js10020Core module that maintains connection with a CloudFront-based C2 server via WebSocket and dispatches received commands to the two modules described below
helper.js10022Arbitrary command execution via cmd.exe /c <command> and persistence installation/uninstallation via registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
webui.js10021TCP tunneler allowing arbitrary TCP connections to threat actor-specified hosts.

app.js (Loader)

This module serves as the entrypoint for DenoGate. It is responsible for launching the core module, "back.js" via the following command line:

<deno_path> --allow-net --unsafely-ignore-certificate-errors --allow-env back.js
Figure 4 - app.js module that serves to launch the core module back.js
Figure 4 - app.js module that serves to launch the core module back.js

back.js (C2 Communication Handler)

The figure below displays contents from the core module "back.js" and is responsible for establishing persistent communications with the CloudFront-based C2 server over websockets.

Upon establishing communications, it sends a version identifier "1.010.10.10" to the C2, followed by the victim fingerprint information: domain name, username, computer name, and a randomly generated, unique identifier.

Figure 5 - initCommunication method within back.js
Figure 5 - initCommunication method within back.js
Figure 6 - registerClient method within back.js
Figure 6 - registerClient method within back.js

HTTP POST requests to the local HTTP server run by this module serve to relay TCP socket responses (e.g. received from the webui.js module) back to the C2. The callback method, handleRequest, is shown in the figure below.

Figure 7 - handleRequest method within back.js
Figure 7 - handleRequest method within back.js

JSON-encoded messages from the C2 contain base64-encoded command data within the event.data attribute. The onMessage handler base64-decodes this data, parses the resulting JSON, and passes it to processCmd for processing. Attributes that can appear in this data are described in the following table.

Command AttributeDescription
app.payment_statusExfiltrate victim host/network information collected via command: cmd.exe /c "set && ipconfig /all && route print && tasklist"
app.subscription_idOpens a TCP socket to the threat-actor specified host/port specified by the subscription_host and subscription_port attributes by issuing a POST request to the local HTTP server run by webui.js, then returns the resulting socket id to the C2.
app.unsubscribeIssues a POST request to the local HTTP server run by webui.js to close a specified socket id.
app.handshake == 0x1

Persistence via HKCU Run key via command: cmd.exe /c "reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v Deno_AutoRun /t REG_SZ /d \"conhost.exe

--headless <fullPath> --allow-run <workingDirectory>app.js\" /f"

app.handshake == 0x2Deletion of persistence from HKCU Run key via command: cmd.exe /c "reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v Deno_AutoRun /f"

helper.js (Command Executor)

The module "helper.js" is the command handler and runs as an HTTP server on port 10022. It provides a single endpoint "/exec" and launches Windows Command Prompt with specified arguments. This is used by the "back.js" module in collecting the victim's network information and installation/uninstallation of the persistence registry value "Deno_AutoRun".

Figure 8 - /exec endpoint within helper.js (Command Executor module)
Figure 8 - /exec endpoint within helper.js (Command Executor module)

webui.js (TCP Tunneler)

The final module, "webui.js" is the TCP socket manager and runs as an HTTP server on port 10021 like the other modules. It provides three endpoints:

Figure 9 - endpoints supported by the TCP Socket Manager module webui.js
Figure 9 - endpoints supported by the TCP Socket Manager module webui.js

What did we do?

What can you learn from this TRU Positive?

Recommendations from the Threat Response Unit (TRU)

Indicators of Compromise

The table below lists Indicators of Compromise for the DenoGate backdoor.

TypeValueDescription
SHA-256ff5a477871a4b83e2b38e660f28ef998680dcb6ba21fddff3e3f66c04ffc3596patch01309.txt
Command Linecmd.exe /c "set && ipconfig /all && route print && tasklist"Victim network and process list reconnaissance
Command Line

cmd.exe /c "reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v Deno_AutoRun /t REG_SZ /d \"conhost.exe

--headless <fullPath> --allow-run <workingDirectory>app.js\" /f"

Persistence installation via HKCU Run registry key
Command Linecmd.exe /c "reg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v Deno_AutoRun /f"Persistence deletion
URLwss://d1mjrkjsk5qy13.cloudfront[.]net/api/connectCommand and Control URL
Domain-Named1mjrkjsk5qy13.cloudfront[.]netCommand and Control domain name
Command Lineconhost.exe --headless <deno_path> --allow-run <path>\app.jsDenoGate launching via conhost
IPv4127.0.0.1:10020Local HTTP server for back.js module
IPv4127.0.0.1:10021Local HTTP server for webui.js module
IPv4127.0.0.1:10022Local HTTP server for helper.js module

References

To learn how eSentire can help you find exposures and defend your organization, connect with an eSentire Security Specialist now.

GET STARTED

ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Back to blog

Take Your Cybersecurity Program to the Next Level with eSentire MDR.

BUILD A QUOTE

Read Similar Blogs

EXPLORE MORE BLOGS