Iranian APT Seedworm Deploys Dindoor Backdoor via Microsoft Teams Social Engineering Using Deno Runtime for In-Memory Execution

CyberProof researchers have uncovered a campaign by Iranian APT group Seedworm that uses Microsoft Teams as an initial access vector, deploying a custom backdoor called Dindoor through social engineering that impersonates IT support personnel. The campaign emerged in early March 2026, coinciding with a surge in Iranian-linked cyber activity following escalating geopolitical tensions in the Middle East.

The intrusion began with a Teams message from an external user posing as IT support under the name "Sarah Wilson," operating from a deceptive Microsoft 365 tenant domain (seqhelpsitdevsupportops[.]onmicrosoft.com) designed to resemble a legitimate helpdesk. The attacker claimed a colleague had been compromised and convinced the target to execute a malicious installer named update_ms.msi, disguised as a Windows update package. The MSI was signed with a certificate issued to "Anquesia Gray" that had been revoked at the time of investigation.

Once executed, Dindoor deployed several components into a hidden directory including deno.exe, Falcon_module63.vbs, and tango13.ps1. The most notable aspect of the attack chain is Seedworm's abuse of Deno — a legitimate JavaScript and TypeScript runtime typically used for backend development. The attacker leveraged deno.exe to execute a highly obfuscated, Base64-encoded payload tracked as DINODANCE directly in memory, minimizing on-disk artifacts and complicating forensic analysis.

Once decoded, the DINODANCE payload established command-and-control communications with remote infrastructure, exfiltrating host metadata including username, hostname, and operating system details. Analysis revealed that the C2 infrastructure overlapped with MuddyWater infrastructure publicly reported by Cisco in March 2026 — consistent with the known operational relationship between Seedworm and the broader MuddyWater umbrella.

The dropped PowerShell script tango13.ps1 retrieved additional payloads from attacker-controlled servers at dd3.filedwnl[.]top and dd4.filedwnl[.]top. Persistence was established through a deceptive registry Run key named "Realtek HD Audio Universal Service" pointing to malware downloaded from these servers — a technique designed to blend in with legitimate system services and avoid casual inspection.

Defensive Guidance:

Security monitoring needs to extend to Microsoft Teams and collaboration platforms — this campaign demonstrates that Teams impersonation is an active and effective nation-state tactic, not just opportunistic phishing. Block external Teams communications from untrusted tenants or implement approval workflows for external contact requests. Flag any instances of deno.exe running in enterprise environments where it has no legitimate development purpose, especially when executing Base64-encoded payloads. Hunt for registry persistence keys masquerading as audio or hardware services. Block the identified C2 infrastructure — serialmenot[.]com, dd3.filedwnl[.]top, dd4.filedwnl[.]top, and 140.82.18.48 — at the network perimeter.