Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts.
“The intrusion chain begins with execution of a batch script (‘install_obf.bat’) that disables Windows security controls, dynamically extracts an embedded Python payload (‘svc.py’), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.
It’s assessed that the batch script is distributed via traditional approaches like phishing. It’s currently not known how widespread attacks distributing the malware are, and if any of those infections have been successful.
What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it’s extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint.
Once launched, the malware establishes communication with “bore[.]pub,” a Rust-based tunneling service, allowing the operator to issue commands that facilitate remote command execution and extensive surveillance. This includes –
- Reverse shell
- System reconnaissance
- Keylogging
- Clipboard monitoring
- Screenshot capture
- Webcam access
- Ambient audio recording
- Web browser credential harvesting
- SSH key extraction
- Credentials stored in Google Chrome, Mozilla Firefox, and Windows Credential Manager
- Cloud credential theft (Amazon Web Services, Google Cloud, and Microsoft Azure)
The use of public TCP tunneling service for command-and-control (C2) offers several advantages in that it eliminates the need for setting up dedicated infrastructure, blends malicious traffic, and avoids embedding details of the server within the payload.
In parallel, DEEP#DOOR incorporates a bevy of anti-analysis and defense evasion mechanisms, such as sandbox, debugger, and virtual machine (VM) detection, AMSI and Event Tracing for Windows (ETW) patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass, PowerShell logging suppression, command-line wiping, timestamp stomping, and log clearing, to fly under the radar and complicate incident response efforts.
It also employs multiple persistence mechanisms that involve creating Windows Startup folder scripts, Registry Run keys, and scheduled tasks, while also relying on a watchdog mechanism to make sure the persistence artifacts have not been removed, and if so, automatically recreate them, making remediation challenging.
“The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments,” Securonix said. “The implant prioritizes evading detection and forensic visibility by directly tampering with Windows security and telemetry mechanisms.”
“DEEP#DOOR highlights the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages like Python. By embedding the payload directly within the dropper and extracting it at runtime, the malware significantly reduces external dependencies and limits traditional detection opportunities.”
