- A stealthy Python backdoor called DEEP#DOOR uses a tunneling service for command-and-control to steal sensitive data, including cloud credentials and SSH keys.
- The malware embeds its payload directly within the dropper script to minimize forensic traces and employs multiple anti-analysis mechanisms to evade detection.
- Securonix researchers detail how the framework establishes persistent access through various system mechanisms, making remediation difficult.
Cybersecurity researchers from Securonix have disclosed details of a sophisticated Python-based backdoor framework called DEEP#DOOR, which was designed to harvest extensive data from compromised systems, according to a report shared with The Hacker News in late April 2026.
The attack chain begins with a batch script that disables Windows security controls and dynamically extracts an embedded Python payload. Consequently, it establishes persistence through Startup folder scripts, registry Run keys, and scheduled tasks.
This approach reduces the need for external infrastructure, thereby minimizing the forensic footprint. The malware then establishes communication with a public Rust-based tunneling service called “bore[.]pub.”
The operator can then issue commands for reverse shell access and extensive surveillance. These capabilities include keylogging, clipboard monitoring, webcam access, and ambient audio recording.
The framework also harvests credentials from web browsers, Windows Credential Manager, and major cloud platforms like AWS, Google Cloud, and Microsoft Azure. It additionally extracts SSH keys for further network compromise.
Using a public tunneling service for command-and-control blends malicious traffic with legitimate network activity. This tactic avoids embedding server details within the payload itself.
DEEP#DOOR incorporates numerous anti-analysis and defense evasion mechanisms to complicate incident response. These include sandbox detection, ETW patching, Microsoft Defender tampering, and log clearing.
It also employs a watchdog mechanism to automatically recreate removed persistence artifacts. “The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments,” Securonix said.
The researchers assessed that the initial batch script is likely distributed via traditional phishing approaches. Meanwhile, the current scale and success rate of these attacks remain unknown.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
