Security researchers have uncovered a sophisticated malware campaign exploiting the surging popularity of AI assistants. Threat actors are distributing fake desktop installers for ChatGPT and Claude on platforms like GitHub and SourceForge, using them to silently deploy a powerful new backdoor dubbed DinDoor. The campaign has already reached tens of thousands of potential victims through compromised YouTube channels before the malicious repositories were identified.
Trojanized AI Installers: A Growing Attack Surface
The attackers packaged convincing-looking installers that mimic the official branding and installation experience of popular AI chatbot desktop clients. Once executed, these fake installers do launch a functional-looking application — masking the malicious activity running underneath. The technique of bundling malware with legitimate or semi-legitimate software lowers the victim’s guard at the critical moment of initial compromise.
Researchers found the malicious packages promoted through YouTube videos with over 50,000 combined views on channels that had been hijacked or created specifically for the campaign. The videos posed as tutorials, reviews, or download guides for AI tools, directing viewers to the infected repositories.
DinDoor: The Backdoor Behind the Curtain
The malware deployed by the fake installers is DinDoor, a multi-capability backdoor with an unusual delivery mechanism. Rather than relying on traditional system runtimes, DinDoor is delivered and executed via the Deno JavaScript runtime — a modern, secure-by-default runtime typically used for legitimate development. Using Deno helps the malware blend into developer environments and evade endpoint detection tools that may not flag Deno-based processes.
DinDoor’s capabilities are extensive and designed for both immediate financial theft and long-term persistent access:
- Cryptocurrency wallet theft: The backdoor scans the infected system for over 50 different cryptocurrency wallet applications, targeting seed phrases, private keys, and wallet data files for exfiltration.
- P2P video streaming abuse: DinDoor spawns a hidden Microsoft Edge browser process to facilitate peer-to-peer video streaming — likely used to generate fraudulent ad revenue or facilitate further payload delivery.
- SOCKS5 proxy: The compromised machine can be turned into a SOCKS5 proxy node, routing the attackers’ traffic through the victim’s internet connection to anonymize operations.
- VNC remote access: Full visual remote control via VNC allows operators to interact with the victim’s desktop in real time.
- Persistence mechanisms: DinDoor establishes startup persistence to survive reboots, ensuring continued access even after the initial infection vector is discovered.
Campaign Infrastructure and Distribution
The attackers demonstrated operational sophistication in their distribution chain. GitHub and SourceForge repositories were created with realistic README files, star counts, and commit histories to appear credible to developers and tech-savvy users. The YouTube promotion strategy targeted users specifically searching for AI desktop app downloads — a high-intent audience likely to trust seemingly professional tutorial content.
The use of GitHub and SourceForge is particularly insidious because many organizations and security tools implicitly trust these platforms. Downloads from these repositories may not trigger the same warnings as binaries from unknown web servers.
Indicators of Compromise (IoCs)
Organizations should hunt for the following indicators across their environments:
- Unexpected Deno runtime processes (
deno.exe) spawned by installer or application binaries - Hidden Microsoft Edge processes with no corresponding visible browser window
- Outbound SOCKS5 or VNC traffic from endpoints not expected to generate such traffic
- Access to cryptocurrency wallet file paths from non-wallet processes
- New startup entries pointing to Deno scripts or unconventional runtime executables
Protective Measures
Given the campaign’s reliance on social engineering and platform trust, organizations and individuals should take the following steps:
- Download AI tools exclusively from official sources: Only install ChatGPT, Claude, or other AI applications from the official vendor websites (openai.com, claude.ai, anthropic.com). Never use third-party GitHub repositories or SourceForge packages for official applications.
- Verify installer hashes: When official vendors publish SHA-256 or other hashes for their installers, always verify before executing.
- Monitor for Deno runtime: If Deno is not an expected part of your environment, its presence should be investigated immediately.
- Enable endpoint detection coverage for non-standard runtimes: Ensure EDR solutions are configured to monitor and alert on unusual runtime environments including Deno, Bun, and similar tools.
- Protect cryptocurrency assets: Use hardware wallets for significant holdings and never store seed phrases in plaintext on internet-connected machines.
The DinDoor campaign is a stark reminder that the explosive interest in AI tools has created a fresh and fertile attack surface for financially motivated threat actors. As AI applications become mainstream, the demand for unofficial “enhanced” or “free” versions will inevitably be exploited further. Verifying the authenticity of software installations — regardless of where they are hosted — remains a fundamental security discipline.