Back to Intelligence

APT28 PRISMEX & MuddyWater DinDoor: Multi-Vector Malware Surge — Detection Engineering

SA
Security Arsenal Team
April 25, 2026
7 min read

Intelligence Category: Active Malware Campaigns & Criminal Tooling
Date: 2026-04-26
Source: AlienVault OTX Live Pulse Data

Threat Summary

Current OTX pulse data indicates a convergence of sophisticated state-aligned and financially motivated threat actors actively deploying upgraded toolsets. The primary threats identified this week include:

  1. APT28 (Pawn Storm): Launching the PRISMEX malware suite against Ukrainian and Western defense infrastructure, leveraging CVE-2026-21509 and CVE-2026-21513 for initial access. The group employs steganography to hide payloads and abuses legitimate cloud storage (filen.io) for Command and Control (C2), making network detection difficult.

  2. MuddyWater: A shift in TTPs with the deployment of "DinDoor," a backdoor specifically abusing the Deno JavaScript runtime. This allows the actor to execute obfuscated JS payloads directly in memory or via MSI installers, targeting finance sectors in the US and Russia.

  3. Tropic Trooper: Utilizing trojanized SumatraPDF installers to drop AdaptixC2 and Cobalt Strike beacons. This campaign specifically targets Chinese-speaking entities, using military-themed lures to deploy Visual Studio Code as a persistence mechanism.

Threat Actor / Malware Profile

APT28 (Pawn Storm) - PRISMEX

  • Distribution: Exploitation of critical vulnerabilities (CVE-2026-21509, CVE-2026-21513) and likely phishing.
  • Payload Behavior: The PRISMEX suite includes a dropper, stager, and loader. It utilizes advanced steganography to extract malicious code from image files.
  • C2 Communication: Abuses legitimate file hosting services (filen.io) using specific hostnames (gateway.filen.io, egest.filen.io) to blend in with normal traffic.
  • Persistence: Utilizes COM hijacking to maintain access without creating suspicious scheduled tasks.

MuddyWater - DinDoor

  • Distribution: Malicious MSI files.
  • Payload Behavior: Exploits the Deno runtime to execute obfuscated JavaScript. Capabilities include system fingerprinting and C2 communication. Some variants operate entirely in-memory to avoid disk scans.
  • C2 Communication: Uses domains like ineracaspsl.site and serialmenot.com, alongside infrastructure associated with the CastleLoader and Tsundere botnet.

Tropic Trooper - AdaptixC2 / TOSHIS

  • Distribution: Trojanized SumatraPDF binaries inside ZIP archives.
  • Payload Behavior: Drops AdaptixC2 Beacon, Cobalt Strike Beacon, and TOSHIS loader. Uniquely installs Visual Studio Code (code.exe) to facilitate payload execution or tunneling.

IOC Analysis

The provided pulses contain 242 total indicators comprising network artifacts and file hashes.

  • Hostnames/Domains: High-confidence IOCs include the filen.io subdomains used by APT28. SOC teams should note that filen.io is a legitimate encrypted cloud service; blanket blocking may impact business operations, but filtering for the specific gateway subdomains is advised. MuddyWater's use of duckdns.org (agilemast3r.duckdns.org) suggests dynamic DNS infrastructure.
  • File Hashes: A significant cluster of MD5 hashes relates to the trojanized SumatraPDF and DinDoor samples. These should be immediately added to blocklists on endpoints (EDR) and network gateways.
  • Operationalizing IOCs:
    • EDR: Hunt for processes initiating network connections to the listed filen.io gateways.
    • Network: Create SSL inspection rules for the specific filen.io hostnames to inspect the underlying payload (though challenging due to encryption).

Detection Engineering

Sigma Rules

YAML
---
title: Potential APT28 PRISMEX C2 Activity
id: 4a8f9c12-5b6a-4f8d-9e1a-2c3d4e5f6a7b
description: Detects network connections to known PRISMEX C2 hostnames associated with the Pawn Storm campaign abusing Filen.io infrastructure.
status: experimental
author: Security Arsenal
date: 2026/04/26
modified: 2026/04/26
tags:
    - attack.command_and_control
    - attack.t1102
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'gateway.filen.io'
            - 'egest.filen.io'
            - 'filen-1.net'
            - 'filen-2.net'
            - 'filen-3.net'
            - 'filen-4.net'
            - 'filen-5.net'
    condition: selection
falsepositives:
    - Legitimate use of Filen.io storage services (unlikely for specific gateway subdomains)
level: high
---
title: Suspicious Deno Runtime Execution (DinDoor)
id: b7c9d8e1-3f4a-4b5c-8d6e-7f8a9b0c1d2e
description: Detects the execution of Deno runtime initiated by MSI installers or uncommon parent processes, typical of DinDoor backdoor deployment.
status: experimental
author: Security Arsenal
date: 2026/04/26
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\deno.exe'
    selection_parent:
        ParentImage|endswith:
            - '\msiexec.exe'
            - '\cmd.exe'
            - '\powershell.exe'
    filter_legit_dev:
        CommandLine|contains:
            - 'bundle '
            - 'install '
            - 'upgrade '
    condition: selection_img and selection_parent and not filter_legit_dev
falsepositives:
    - Legitimate developer activity installing Deno via scripts
level: medium
---
title: Trojanized SumatraPDF Spawning VS Code or Beacon
id: e1f2a3b4-c5d6-e7f8-a9b0-c1d2e3f4a5b6
description: Detects SumatraPDF spawning Visual Studio Code or PowerShell, indicative of the trojanized SumatraPDF campaign deploying AdaptixC2.
status: experimental
author: Security Arsenal
date: 2026/04/26
tags:
    - attack.initial_access
    - attack.t1204
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\SumatraPDF.exe'
    selection_child:
        Image|endswith:
            - '\Code.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Extremely unlikely (PDF readers should not spawn IDEs)
level: critical

Microsoft Sentinel KQL

KQL — Microsoft Sentinel / Defender
// Hunt for DinDoor and PRISMEX Network Indicators
// Looks for connections to Filen.io gateways and MuddyWater infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("filen.io", "duckdns.org", "ineracaspsl.site", "serialmenot.com", "justtalken.com")
| extend ThreatActor = case(
    RemoteUrl has "filen.io", "APT28_PRISMEX",
    RemoteUrl has "duckdns.org" or RemoteUrl has "site", "MuddyWater_DinDoor",
    "Unknown"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, ThreatActor
| order by Timestamp desc


kql
// Hunt for Malicious File Execution
// Checks for DinDoor (deno.exe) and Tropic Trooper (SumatraPDF) execution chains
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "deno.exe" 
   or (ParentFileName =~ "SumatraPDF.exe" and (FileName has "Code.exe" or FileName has "powershell.exe"))
| project Timestamp, DeviceName, FileName, ProcessCommandLine, ParentFileName, SHA256, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for PRISMEX, DinDoor, and AdaptixC2 Campaigns
.DESCRIPTION
    Scans the file system for known malicious hashes and checks for suspicious process artifacts.
#>

$MaliciousHashes = @(
    "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5",
    "5c057af2f358fc10107d5ccdb39938ad",
    "e2e8516b4f275e8c636620b7377ee3b9f9f47bb0",
    "2d7cc3646c287d6355def362916c6d26",
    "3238d2f6b9ea9825eb61ae5e80e7365c",
    "67fcf5c21474d314aa0b27b0ce8befb2",
    "71fa755b6ba012e1713c9101c7329f8d",
    "89daa54fada8798c5f4e21738c8ea0b4",
    "9a69b717ec4e8a35ae595aa6762d3c27",
    "c620b4671a5715eec0e9f3b93e6532ba",
    "e2dc48ef24da000b8fc1354fa31ca9ae"
)

Write-Host "[+] Scanning for known malicious file hashes..." -ForegroundColor Cyan

# Search common download and temp directories
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData", "$env:APPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue -File | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $fileHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for suspicious Deno Runtime installations..." -ForegroundColor Cyan
if (Test-Path "$env:USERPROFILE\.deno") {
    Write-Host "[!] Deno Runtime detected in user profile. Verify if authorized." -ForegroundColor Yellow
}

Write-Host "[+] Checking for COM Hijarking Indicators (Registry)..." -ForegroundColor Cyan
# Checking for InprocServer32 entries pointing to suspicious locations (e.g., AppData or Temp)
$ComKeys = Get-ChildItem "HKCU:\Software\Classes\CLSID" -ErrorAction SilentlyContinue
foreach ($key in $ComKeys) {
    $InprocPath = "$($key.PSPath)\InprocServer32"
    if (Test-Path $InprocPath) {
        $Value = (Get-ItemProperty $InprocPath -ErrorAction SilentlyContinue).'(default)'
        if ($Value -match "AppData" -or $Value -match "Temp") {
            Write-Host "[!] Potential COM Hijack detected at: $($key.Name) -> $Value" -ForegroundColor Yellow
        }
    }
}

Response Priorities

  • Immediate:

    • Block: Block all hostnames listed in the APT28 (filen.io) and MuddyWater (DuckDNS, site TLD) pulses at the perimeter.
    • Hunt: Scan endpoints for the provided MD5/SHA256 hashes associated with DinDoor and SumatraPDF.
    • Isolate: Isolate any systems exhibiting Deno runtime execution from MSI installers or SumatraPDF spawning code.exe.

  • 24 Hours:

    • Investigate: Review logs for any successful exploitation attempts of CVE-2026-21509 or CVE-2026-21513.
    • Verify: Identify users with legitimate filen.io usage to reduce false positives before aggressive blocking.

  • 1 Week:

    • Patch: Apply patches for CVE-2026-21509 and CVE-2026-21513 across all external-facing infrastructure.
    • Harden: Restrict the execution of unsigned installers (MSI) and implement application control policies to prevent PDF readers from spawning development tools like VS Code.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareprismexdindoorapt28muddywateradaptixc2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action