New Deep#Door Python Backdoor Targets Windows with Espionage and Destructive Capabilities
A sophisticated Python-based backdoor named Deep#Door targets Windows systems, enabling persistent remote access, surveillance, and destructive operations.
A newly identified stealthy Python-based backdoor framework provides attackers with persistent remote command execution and surveillance capabilities on Windows computers, according to a report from Securonix. The malware, dubbed Deep#Door, is designed to evade detection and can shift from espionage to destructive operations, including overwriting the Master Boot Record and forcing system crashes.
The infection chain begins with the execution of a batch script that disables the system's security controls, including SmartScreen, firewall logging, Defender tamper protection, and Antimalware Scan Interface (AMSI) functions. Next, it loads an embedded Python payload and establishes multi-layered persistence by modifying Run registries, creating scheduled tasks, and placing scripts in the Startup folder. By embedding the payload directly into the batch script's body, the malware's developer simplifies delivery and evades network-based detection.
Deep#Door performs environment validation checks to ensure it is not executed in virtual machines, sandboxes, or analysis environments. It checks for debuggers, specific virtualization artifacts, and behavioral and environmental characteristics. Once active, the backdoor enables shell command execution, file manipulation, system and network reconnaissance, and surveillance operations such as keylogging, clipboard monitoring, screenshot capture, microphone and webcam access, and credentials and SSH key harvesting.
The malware can also shift from espionage to destructive operations, as it can overwrite the Master Boot Record, force system crashes, and exhaust system resources by spawning numerous processes. "Deep#Door incorporates a layered and highly aggressive set of defense evasion techniques designed to bypass security controls, evade detection, and complicate forensic analysis," Securonix notes. The malware dynamically constructs a range of possible communication ports to reach its command-and-control (C&C) infrastructure even if specific ports are blocked, and uses public tunneling for covert and resilient communication that blends with legitimate traffic.
"Additionally, the combination of multi-layer persistence, advanced defense evasion (AMSI/ETW patching, ntdll unhooking), and in-memory stealth techniques allows the implant to operate with minimal forensic footprint while maintaining long-term access," Securonix says, underlining that Deep#Door was likely built for espionage. The discovery highlights the ongoing evolution of backdoor malware, with attackers increasingly using scripting languages like Python to create flexible and hard-to-detect threats.
Organizations are advised to implement robust endpoint detection and response solutions, monitor for unusual script executions, and enforce application whitelisting to mitigate such threats. The full report from Securonix provides further technical details on the malware's capabilities and indicators of compromise.