DEEP#DOOR: New Python Backdoor Uses Public Tunneling Service for Stealthy Credential Theft
Researchers have uncovered DEEP#DOOR, a Python-based backdoor that uses the bore.pub Rust-based tunneling service for C2 and steals browser, cloud, and system credentials from compromised hosts.
Security researchers at Securonix have disclosed a stealthy Python-based backdoor framework dubbed DEEP#DOOR that combines fileless execution, public tunneling for command-and-control, and extensive credential theft capabilities. The malware is distributed via a batch script that disables Windows security controls, extracts an embedded Python payload, and establishes persistence through multiple mechanisms.
The attack chain begins with a batch script ('install_obf.bat') that is likely delivered through phishing campaigns. The script disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through Startup folder scripts, Registry Run keys, scheduled tasks, and optional WMI subscriptions. The core Python implant is embedded directly inside the dropper script, reducing the need for external infrastructure and minimizing forensic footprint.
Once launched, DEEP#DOOR establishes communication with 'bore[.]pub,' a Rust-based tunneling service, allowing the operator to issue commands for remote execution and surveillance. The malware's capabilities include reverse shell, system reconnaissance, keylogging, clipboard monitoring, screenshot capture, webcam access, ambient audio recording, and theft of browser credentials from Chrome and Firefox, Windows Credential Manager data, and cloud credentials for AWS, GCP, and Azure. The use of a public TCP tunneling service for C2 eliminates the need for dedicated infrastructure, blends malicious traffic, and avoids embedding server details in the payload.
DEEP#DOOR incorporates extensive anti-analysis and defense evasion mechanisms, including sandbox, debugger, and VM detection, AMSI and ETW patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass, PowerShell logging suppression, command-line wiping, timestamp stomping, and log clearing. It also employs a watchdog mechanism that automatically recreates persistence artifacts if they are removed, making remediation challenging.
According to Securonix, the malware is assessed as targeted rather than widespread, with no clear geographic or sector focus. 'Based on our current analysis, there is no clear evidence to suggest that this malware framework was widely used in large-scale or highly active campaigns,' said Akshay Gaikwad, senior security research engineer at Securonix. 'Its observed usage appears to be limited and somewhat targeted rather than broadly distributed.'
The framework highlights the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely on native system components and interpreted languages like Python. By embedding the payload directly within the dropper and extracting it at runtime, the malware significantly reduces external dependencies and limits traditional detection opportunities. Organizations are advised to monitor for unusual PowerShell or batch script execution, unexpected outbound connections to tunneling services, and unauthorized access to credential stores.