CyberProof’s Threat Intelligence team observed several Iran-linked campaigns in early March, including one attributed to the advanced persistent threat (APT) group tracked as Seedworm, known for combining social engineering with custom malware to infiltrate enterprise systems.
The attack began with a deceptive message sent via Microsoft Teams. The attacker posed as an external IT support worker using a fake Microsoft 365 domain designed to appear legitimate. The victim was told that another employee’s account had been compromised and was asked to help.
The attacker convinced the user to download and run a malicious file named update_ms.msi, disguised as a Windows update, which, in reality, was a dropper for a custom backdoor called Dindoor.
The campaign has abused Deno, a legitimate runtime for JavaScript and TypeScript, to execute a heavily obfuscated Base64-encoded payload named DINODANCE directly in memory. This allowed to reduce traces on the system and make detection more difficult.
The malware connected to remote command-and-control (C&C) servers and collected basic system information, including username, hostname, and operating system details. Researchers found that the infrastructure used overlapped with systems previously linked to Iranian cyber operations.
To maintain access, the attackers created a registry key named “Realtek HD Audio Universal Service,” allowing the malware to run automatically at startup while blending in with legitimate system processes.