Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing to Target Employees
A new strain of malware has emerged that combines two well-known social engineering tactics into one effective attack chain.
Researchers have uncovered a Remote Access Trojan built on Deno, an unconventional JavaScript runtime, being deployed against employees through email flooding and fake Microsoft Teams calls.
The attack overwhelms targets and then offers a false sense of rescue, turning trust into a weapon.
The attack begins with what professionals call mailbombing. Targeted employees receive hundreds of emails in a short period, flooding inboxes and creating panic.
Once the victim is disoriented, an attacker calls them over Teams, posing as an IT support agent. It is a deliberate trap: the manufactured crisis creates the demand, and the attacker shows up as the solution.
Analysts at InfoGuard Labs, who investigated this intrusion firsthand, noted that the malware stood out not for its social engineering alone, but because of the unusual technical framework deployed.
Instead of a traditional compiled implant, the attacker delivered a modular RAT built on Deno, a JavaScript and TypeScript runtime known for its security-first design.
InfoGuard Labs said in a report shared with Cyber Security News (CSN) that the implant was split across four JavaScript files, each handling a specific role while keeping the overall footprint low.
What makes this attack particularly concerning is that an active endpoint detection tool was present on the compromised machine and still failed to flag the malware during initial execution.
Alerts only surfaced later when the attacker began follow-on activities like LDAP queries and certificate-related reconnaissance. This strongly suggests the malware was built with evasion in mind from the start.
The case is a reminder that modern attackers no longer rely solely on malicious files. By blending manipulation, legitimate platforms, and scripting runtimes that security tools rarely scrutinize, they are building attack chains that slip past defenses designed for a different era.
Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing
The initial contact came through Microsoft Teams, where the attacker called employees from an external account that closely mimicked an internal IT support identity.
Employee names and company context, likely sourced from LinkedIn, were used to build credibility. Two employees did not answer. One did, and that single interaction was enough.
The victim was directed to a fake self-service portal designed to resemble a legitimate support workflow. The page prompted the user to download a file and extract it into their AppData directory, a path less likely to raise flags.
Once extracted, the primary payload executed without triggering an immediate alert. The malware was composed of four JavaScript files: app.js, back.js, helper.js, and webui.js.
Each handled a separate function, from orchestrating the other modules to managing the C2 connection, executing local commands, and enabling internal network pivoting.
The C2 server sat behind a CloudFront domain, helping disguise outbound traffic as contact with a legitimate content delivery network.
Deno as a Covert Attack Tool
Deno is widely praised for its security-first design. Unlike Node.js, it requires explicit permission for every sensitive action, including file access, network activity, and subprocess execution.
The attacker turned this feature against defenders by splitting the malware into modules where each piece requested only what it needed, so no single process appeared obviously suspicious.
All four JavaScript files were heavily obfuscated using a technique called string array shifting, where readable strings are replaced with scrambled arrays that only reconstruct at runtime.
This defeats static analysis tools that scan for known URLs or command-line arguments, leaving analysts with garbled output. The only reliable signals in this attack were behavioral, not content-based.
Security teams can take practical steps to reduce exposure. Monitoring for Deno processes launched from user-writable directories, flagging external Teams calls during email surges, and enabling full Microsoft 365 audit logging are all important measures.
The Teams impersonation event leaves a traceable record in the Unified Audit Log, and correlating that signal with mailbombing activity can provide an early warning before any malware executes.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | d317371cf2b4cd524849551ffd3b97d91edbc17f6b39c8693217383ba6a0370d | app.js |
| SHA-256 | 9469268c421b7821f897deb2d4d2316b21ff5da35bef417aa4e284010ef78302 | back.js |
| SHA-256 | 3d8afae76c5982458849d21221e089ee161266a4248b12ea3048d1e79b76707e | helper.js |
| SHA-256 | 2ed6fdfa5f9120306167ba5d8d48a62dbe5fd0d05e87c33c9784f08698f8a66b | webui.js |
| SHA-256 | 3b48a334dcf0a08bed2a9766fd553474ae3014db600b65573dfee0f183e9d1d9 | patch09913.bd |
| Domain | 2cff16eusb8mg.cloudfront[.]net | C2 server domain hosted via CloudFront CDN |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing to Target Employees appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news