Back to Intelligence

PRISMEX, DinDoor, and ValleyRAT: OTX Pulse Analysis — APT and Crime Syndicate Surge

SA
Security Arsenal Team
April 27, 2026
6 min read

Recent OTX pulses indicate a convergence of high-activity threat actors utilizing distinct malware families to target critical sectors globally. APT28 (Pawn Storm) is aggressively targeting Eastern European government and defense infrastructure using the PRISMEX malware suite, exploiting two critical zero-day vulnerabilities (CVE-2026-21509, CVE-2026-21513). Simultaneously, MuddyWater is pivoting to the "DinDoor" backdoor, abusing the Deno JavaScript runtime to evade detection in financial sectors, while Void Arachne (Silver Fox) is leveraging Japanese tax season themes to distribute ValleyRAT via spearphishing. Collectively, these campaigns demonstrate a shift towards leveraging niche runtimes (Deno) and advanced steganography to bypass traditional EDR solutions.

Threat Actor / Malware Profile

APT28 (Pawn Storm) & PRISMEX

  • Objective: Cyberespionage and disruption of military aid logistics.
  • Distribution: Exploit kits targeting CVE-2026-21509 and CVE-2026-21513; likely spearphishing.
  • Payload Behavior: A modular suite including PrismexDrop, PrismexLoader, and PrismexStager. Utilizes MiniDoor and NotDoor for secondary access.
  • C2 & Persistence: Uses COM hijacking for persistence. C2 infrastructure is hosted on cloud storage-related domains (filen.io). Employs steganography to hide payloads within image files.

MuddyWater & DinDoor

  • Objective: Financial espionage and data exfiltration.
  • Distribution: Malicious MSI installers, likely delivered via phishing or compromised updates.
  • Payload Behavior: A backdoor written in JavaScript/TypeScript running on the Deno runtime. Executes entirely in-memory in some variants to avoid disk IOCs.
  • C2 & Persistence: Uses specific fingerprinting algorithms to identify victims. C2 communications utilize domains ending in .cyou and DuckDNS services (agilemast3r.duckdns.org).

Void Arachne (Silver Fox) & ValleyRAT

  • Objective: Corporate espionage and long-term access to manufacturing entities.
  • Distribution: Highly targeted spearphishing emails themed around Japanese tax compliance, HR changes, and salary adjustments.
  • Payload Behavior: ValleyRAT provides remote control capabilities, often used to deploy further payloads or steal sensitive data.
  • C2 & Persistence: Standard RAT behavior (reverse shell, keylogging). The campaign relies heavily on social engineering rather than technical exploits.

IOC Analysis

The current pulse data provides a mix of network and file-based indicators:

  • Hostnames/Domains: A significant cluster of IOCs points to gateway.filen.io and related subnets (APT28 C2) and suspicious TLDs like .cyou and .duckdns.org (DinDoor). SOC teams should immediately block these domains at the perimeter and recursive resolvers.
  • File Hashes: DinDoor and ValleyRAT samples are identified via SHA256, MD5, and SHA1 hashes. These should be uploaded to EDR allowlist/blocklist configurations. The DinDoor hashes specifically relate to MSI installers and obfuscated JavaScript bundles.
  • Operationalization: Use threat intelligence platforms (TIPs) to auto-push these IOCs to firewalls and SIEMs. Focus specifically on hunting for the Deno runtime process (deno.exe) in corporate environments, as it is uncommon in standard base images.

Detection Engineering

YAML
---
title: Potential APT28 PRISMEX C2 Activity
date: 2026/04/28
author: Security Arsenal
status: stable
description: Detects potential communication with known PRISMEX C2 infrastructure related to Pawn Storm campaign.
references:
    - https://otx.alienvault.com/pulse/662c4f5c8f2f0c3a9b1d4e5f
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: dns
    product: windows
detection:
    selection:
        query|contains:
            - '.filen.io'
            - '.filen-1.net'
            - '.filen-2.net'
    condition: selection
falsepositives:
    - Legitimate use of Filen cloud storage (rare in enterprise)
level: critical
---
title: Suspicious Deno Runtime Execution (DinDoor)
date: 2026/04/28
author: Security Arsenal
status: stable
description: Detects the execution of Deno runtime, which is abused by DinDoor backdoor to execute obfuscated JavaScript. Uncommon in typical enterprise environments.
references:
    - https://otx.alienvault.com/pulse/662c4f5c8f2f0c3a9b1d4e6f
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\deno.exe'
            - '\deno' 
    selection_cli:
        CommandLine|contains:
            - 'eval'
            - 'run'
            - 'bundle'
    condition: all of selection_*
falsepositives:
    - Developer machines using Deno for legitimate JS/TS development
level: high
---
title: ValleyRAT Spearphishing Payload Execution
date: 2026/04/28
author: Security Arsenal
status: stable
description: Detects execution of known ValleyRAT hash indicators or common dropping behaviors associated with Japanese tax season lures.
references:
    - https://otx.alienvault.com/pulse/662c4f5c8f2f0c3a9b1d4e7f
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection_hash:
        Hashes|contains:
            - '1af5b25acd2df31f44a54fc8dcd85287'
            - '244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db'
    selection_keywords:
        TargetFilename|contains:
            - 'Tax'
            - 'Salary'
            - '人事' 
    condition: 1 of selection*
falsepositives:
    - Legitimate tax documents (if hash matches, FP is unlikely)
level: critical


kql
// Hunt for DinDoor C2 and APT28 Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has ".filen.io" or RemoteUrl has "duckdns.org" or RemoteUrl endswith ".cyou"
| extend IOCDetail = case(
    RemoteUrl has "filen", "Potential APT28 PRISMEX C2",
    RemoteUrl has "duckdns" or RemoteUrl endswith ".cyou", "Potential MuddyWater DinDoor C2",
    "Unknown Suspicious Domain"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, IOCDetail

// Hunt for Deno Runtime Execution (DinDoor Loader)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "deno.exe" or ProcessVersionInfoOriginalFileName =~ "deno"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc


powershell
<#
.SYNOPSIS
    IOC Hunt Script for PRISMEX and DinDoor Campaigns
.DESCRIPTION
    Checks running processes for Deno runtime and network connections for APT28 related hostnames.
#>

# Check for Deno Runtime Process (DinDoor Indicator)
$denoProcess = Get-Process -Name "deno" -ErrorAction SilentlyContinue
if ($denoProcess) {
    Write-Host "[!] WARNING: Deno runtime detected. Potential DinDoor infection." -ForegroundColor Red
    $denoProcess | Format-List Id, ProcessName, Path, StartTime
} else {
    Write-Host "[+] No Deno process found." -ForegroundColor Green
}

# Check DNS Cache for APT28 / DinDoor Domains
$suspiciousDomains = @(
    "filen.io", "filen-1.net", "filen-2.net",
    "duckdns.org", ".cyou",
    "agilemast3r.duckdns.org"
)

$dnsCache = Get-DnsClientCache
foreach ($domain in $suspiciousDomains) {
    $hits = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
    if ($hits) {
        Write-Host "[!] WARNING: Suspicious DNS entry found for $domain" -ForegroundColor Red
        $hits | Format-List Entry, Data, TimeToLive
    }
}

# Check for recently created MSI files (DinDoor vector)
$recentMs = Get-ChildItem -Path "C:\Users\" -Recurse -Filter "*.msi" -ErrorAction SilentlyContinue | 
             Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) }

if ($recentMs) {
    Write-Host "[!] INFO: Recently created MSI files found (Potential DinDoor vector):" -ForegroundColor Yellow
    $recentMs | Select-Object FullName, LastWriteTime, Length
}


# Response Priorities

*   **Immediate:** 
    *   Block all listed `filen.io`, `duckdns.org`, and `.cyou` domains at the proxy and firewall level.
    *   Scan endpoints for the presence of `deno.exe`—quarantine immediately if found outside developer environments.
    *   Apply patches for CVE-2026-21509 and CVE-2026-21513 to all external-facing infrastructure.

*   **24 Hours:**
    *   Initiate a credential audit for users with potential access to the specific domains or who interacted with the spearphishing attachments (HR/Finance depts in Japan).
    *   Hunt for the specific file hashes provided in the DinDoor and ValleyRAT pulses across all endpoints.

*   **1 Week:**
    *   Review and restrict the use of niche runtimes (Deno, Node.js) on non-developer workstations via Application Whitelisting (AppLocker).
    *   Conduct security awareness training focusing on tax season lures and HR-related spearphishing, specifically for Japanese manufacturing branches.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareprismexdindoorvalleyratapt28muddywater

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action