Deep#Door Python Backdoor Targets Windows with Stealthy Persistence and Credential Theft
A new Python-based backdoor named Deep#Door uses obfuscated batch scripts and embedded payloads to evade detection on Windows systems, enabling long-term surveillance and credential theft.
A stealthy Python-based backdoor framework capable of long-term surveillance and credential theft has been identified targeting Windows systems. According to research from Securonix, the malware, dubbed Deep#Door, uses an obfuscated batch script to deploy a persistent implant while bypassing traditional detection methods.
Unlike many loaders that retrieve payloads from external servers, Deep#Door embeds its malicious Python code directly within the dropper script. This self-contained approach reduces network indicators and allows the malware to reconstruct its payload both in memory and on disk during execution.
At the core of the attack chain is a heavily obfuscated batch file that disables Windows security features before extracting the embedded Python payload. The script establishes persistence through multiple mechanisms, including startup folder entries, registry run keys, scheduled tasks, and Windows Management Instrumentation (WMI) subscriptions. Securonix researchers noted that this method reflects a broader shift toward script-driven intrusion techniques. By relying on native tools like PowerShell, attackers can blend malicious activity with legitimate system behavior and avoid static detection.
Once deployed, the backdoor communicates with attacker infrastructure via a public TCP tunneling service. This removes the need for dedicated command-and-control (C2) servers and allows malicious traffic to blend with legitimate connections. The implant supports several capabilities, including keylogging, screenshot capture, microphone recording, and browser credential harvesting. It can also extract SSH keys and cloud authentication tokens, enabling lateral movement across enterprise environments.
Extensive anti-analysis features further complicate detection. The malware checks for virtual machines, debugging tools, and sandbox environments before activating. It also patches core Windows telemetry systems and clears event logs to limit forensic visibility. "This design significantly reduces network-based detection opportunities and simplifies delivery into restricted environments," Securonix researchers explained.
Deep#Door maintains access through layered persistence mechanisms and watchdog processes that restore components if removed. Beyond surveillance, the malware includes destructive capabilities such as system crashes and boot record overwrites. These features suggest it could be used for both espionage and disruption depending on attacker objectives.
The findings reflect a continued evolution in threat actor tradecraft, where modular, script-based frameworks replace traditional binaries. By combining in-memory execution, public infrastructure, and aggressive defense evasion, Deep#Door demonstrates how modern malware can operate with minimal visibility across compromised systems.