Back to Intelligence

DinDoor Backdoor, AdaptixC2 Beacon, and The Gentlemen RaaS: OTX Threat Landscape Analysis — Detection & Response

SA
Security Arsenal Team
May 23, 2026
6 min read

Recent OTX pulses highlight a surge in diverse threat activities targeting financial, government adjacent (military), and critical infrastructure sectors. The primary threats include MuddyWater leveraging the novel Deno runtime for the DinDoor backdoor, Tropic Trooper utilizing trojanized SumatraPDF installers to distribute AdaptixC2 and Cobalt Strike beacons, and the aggressive expansion of The Gentlemen RaaS operation which employs defense evasion techniques like event log clearing. Collectively, these campaigns emphasize a trend toward abusing legitimate development runtimes (Deno), trojanizing trusted utilities (SumatraPDF), and rigorous operational security (log clearing) to evade detection.

Threat Actor / Malware Profile

1. DinDoor (MuddyWater)

  • Distribution: Delivered via malicious MSI files.
  • Payload Behavior: Exploits the Deno runtime (JavaScript/TypeScript) to execute obfuscated code. Variants either write payloads to disk or run entirely in-memory to evade file-based scanning.
  • C2 Communication: Uses standard HTTP/HTTPS protocols to connect to over 20 active C2 domains. Performs system fingerprinting to generate unique victim IDs.
  • Persistence: Establishes persistence via installed MSI services and potentially Deno-related scheduled tasks.
  • Anti-Analysis: Obfuscated JavaScript and in-memory execution hinder static analysis.

2. AdaptixC2 / Tropic Trooper

  • Distribution: ZIP archives containing military-themed documents luring Chinese-speaking targets. Uses a trojanized SumatraPDF binary.
  • Payload Behavior: Deploys shellcode loaders (EntryShell/TOSHIS) that drop AdaptixC2 Beacons and Cobalt Strike. Unusually installs Visual Studio Code as a component of the attack chain, likely to blend in with developer environments.
  • C2 Communication: Utilizes custom C2 protocols associated with AdaptixC2 and standard Cobalt Strike profiles.
  • Persistence: Standard malware persistence mechanisms via registry run keys or folder startup.

3. The Gentlemen (RaaS)

  • Distribution: Ransomware-as-a-service model; exact initial vector varies, but often includes phishing or valid account exploitation.
  • Payload Behavior: Encrypts victim data using aggressive cryptography. Actively seeks out and destroys backups.
  • Defense Evasion: Notable for wevtutil usage to clear Security, System, and Application logs. Disables Microsoft Defender. Uses PowerShell for execution.
  • Persistence: Scheduled Tasks and SOCKS proxy configurations for lateral movement.

IOC Analysis

The provided indicators cover multiple vectors:

  • Domains: DinDoor utilizes specific domains (e.g., ineracaspsl.site, serialmenot.com) for C2. SOC teams should block these at the firewall/DNS level.
  • File Hashes: MD5 hashes are prevalent for the AdaptixC2/Trojanized PDF campaign, while DinDoor provides SHA256. These should be loaded into EDR exclusion allow-lists (for verification) or block-lists immediately.
  • IP Addresses: The Gentlemen C2 IPs (e.g., 193.233.202.17) must be blocked on perimeter firewalls.
  • CVE: The Gentlemen campaign references CVE-2024-55591, suggesting an exploit-based component for privilege escalation or defense evasion.

Detection Engineering

Sigma Rules

YAML
title: Potential DinDoor Backdoor Activity via Deno Runtime
id: 8b4c2d1f-3a6e-4f5c-9b1a-8c7d6e5f4a3b
description: Detects suspicious execution of Deno runtime spawned by installers or with JS arguments, typical of DinDoor backdoor behavior.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis
tags:
    - attack.execution
    - attack.t1059.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\msiexec.exe'
            - '\cmd.exe'
        Image|endswith:
            - '\deno.exe'
        CommandLine|contains:
            - 'run'
            - 'bundle'
    condition: selection
falsepositives:
    - Legitimate developer usage of Deno
level: high
---
title: Trojanized SumatraPDF Spawning Suspicious Processes
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects SumatraPDF spawning child processes like PowerShell or CMD, indicative of the Tropic Trooper AdaptixC2 campaign.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - AlienVault OTX
tags:
    - attack.initial_access
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\SumatraPDF.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown (SumatraPDF should not spawn shells)
level: critical
---
title: Security Event Log Clearing (The Gentlemen Ransomware)
id: f1e2d3c4-b5a6-9876-fedc-ba9876543210
description: Detects attempts to clear Windows Event Logs, a defense evasion tactic heavily used by The Gentlemen ransomware.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps
tags:
    - attack.defense_evasion
    - attack.t1070.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_wevtutil:
        Image|endswith:
            - '\wevtutil.exe'
        CommandLine|contains:
            - 'cl'
            - 'clear-log'
    selection_powershell:
        Image|endswith:
            - '\powershell.exe'
        CommandLine|contains:
            - 'Remove-EventLog'
            - 'Clear-EventLog'
    condition: 1 of selection*
falsepositives:
    - Administrative log management scripts
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for DinDoor C2 Domains and File Hashes
let DinDoorHashes = dynamic(["2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5", "5c057af2f358fc10107d5ccdb39938ad"]);
let DinDoorDomains = dynamic(["ineracaspsl.site", "serialmenot.com", "justtalken.com", "hngfbgfbfb.cyou"]);
DeviceNetworkEvents
| where RemoteUrl in (DinDoorDomains) or InitiatingProcessSHA256 in (DinDoorHashes)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where SHA256 in (DinDoorHashes) or ProcessCommandLine contains "deno"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
)
| extend Threat = "DinDoor / MuddyWater"

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for DinDoor, AdaptixC2, and Gentlemen Ransomware artifacts.
.DESCRIPTION
    Checks for suspicious Deno executions, SumatraPDF parent processes, and Event Log clearing evidence.
#>

Write-Host "[+] Hunting for DinDoor (Deno) Artifacts..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match 'deno.exe' } | 
    Select-Object TimeCreated, Message | Format-List

Write-Host "[+] Hunting for AdaptixC2 (Trojanized SumatraPDF)..." -ForegroundColor Cyan
$proccesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq 'SumatraPDF.exe' }
foreach ($proc in $proccesses) {
    $children = Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq $proc.ProcessId }
    if ($children) {
        Write-Host "ALERT: SumatraPDF (PID: $($proc.ProcessId)) spawned child process:" -ForegroundColor Red
        $children | Select-Object Name, CommandLine | Format-List
    }
}

Write-Host "[+] Checking for The Gentlemen Ransomware Persistence (Scheduled Tasks)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -match 'powershell' -or 
    $_.Actions.Execute -match 'cmd' -and 
    $_.TaskName -notmatch 'Microsoft' 
} | Select-Object TaskName, LastRunTime, Actions

Write-Host "[+] Checking for Event Log Clearing (Security ID 1102)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 5 -ErrorAction SilentlyContinue | 
    Select-Object TimeCreated, Message

Response Priorities

  • Immediate:
    • Block all listed DinDoor domains and The Gentlemen IPs at the perimeter.
    • Add the MD5 and SHA256 hashes provided to all EDR blocklists.
    • Isolate endpoints exhibiting SumatraPDF spawning shell processes.
  • 24 Hours:
    • Hunt for deno.exe installations on non-developer workstations.
    • Review Windows Event Logs for ID 1102 (Log clear) to identify potential The Gentlemen ransomware victims.
    • Patch systems against CVE-2024-55591 if applicable.
  • 1 Week:
    • Review software allow-listing policies to prevent unauthorized execution of Deno or trojanized utilities.
    • Conduct user awareness training regarding military-themed lures and suspicious PDF installers.
    • Implement stricter SIEM alerting for event log clearing activities.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaredindoor-backdooradaptixc2gentlemen-ransomwaremuddywaterransomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action