A sophisticated new Python-based backdoor, dubbed DEEP#DOOR, has emerged, posing a significant threat to Windows users by stealthily harvesting sensitive information. This malware framework is designed for persistent access and extensive data exfiltration, targeting browser passwords, cloud credentials, and SSH keys.

Key Takeaways

• Stealthy Infiltration: DEEP#DOOR uses an obfuscated batch script to deploy its Python payload, embedding it directly within the script to evade network-based detection.

• Broad Credential Theft: It targets passwords stored in popular web browsers, cloud service credentials (AWS, Azure, GCP), SSH keys, and Windows Credential Manager entries.

• Advanced Evasion: The malware employs numerous techniques to bypass security controls, including disabling Microsoft Defender, patching security mechanisms like AMSI and ETW, and detecting sandboxes or virtual machines.

• Persistent Access: DEEP#DOOR establishes multiple persistence mechanisms, such as startup folder scripts, registry run keys, and scheduled tasks, with a watchdog to ensure its survival.

• Tunneling C2: It utilizes a public tunneling service (bore[.]pub) for command and control, making its traffic blend in and harder to attribute.

How Deep#Door Operates

The intrusion chain for DEEP#DOOR begins with the execution of a heavily obfuscated batch script, often named . This script dynamically extracts an embedded Python payload, typically named , and reconstructs it in memory and on disk. This self-contained approach significantly reduces the need for external infrastructure, minimizing forensic footprints and making detection more challenging.

Once active, the malware systematically weakens host defenses. It disables key Microsoft Defender protections, suppresses logging for PowerShell and Windows Firewall, and patches critical security mechanisms like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows). It also incorporates checks for debuggers, virtual machines, and sandboxes to avoid analysis.

Command and Control and Data Exfiltration

DEEP#DOOR establishes communication with its command and control (C2) infrastructure using , a Rust-based tunneling service. This method allows operators to issue commands for remote execution and surveillance while blending malicious traffic with legitimate network activity. The malware dynamically generates ports and uses a challenge-response handshake for authentication, making its C2 communication resilient.

The backdoor's capabilities are extensive, including:

• Reverse shell

• System reconnaissance

• Keylogging

• Clipboard monitoring

• Screenshot capture

• Webcam access

• Ambient audio recording

Its primary focus, however, is credential harvesting. DEEP#DOOR targets passwords stored in Google Chrome, Mozilla Firefox, and Windows Credential Manager. It also extracts SSH private keys and cloud credentials for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. This broad collection capability allows attackers to gain significant access to compromised systems and networks.

Persistence and Defense Evasion

To ensure long-term presence, DEEP#DOOR employs multiple persistence mechanisms. These include creating scripts in the Windows Startup folder, adding entries to Registry Run keys, establishing scheduled tasks, and optionally using WMI subscriptions. A watchdog mechanism is in place to detect and recreate these persistence artifacts if they are removed, making remediation difficult.

The malware's defense evasion tactics are comprehensive, aiming to fly under the radar and complicate incident response. Beyond disabling security features, it attempts to unhook to remove EDR instrumentation, wipes command-line arguments in memory, manipulates file timestamps, and interferes with logging services like Sysmon to reduce forensic evidence.

Researchers note that DEEP#DOOR highlights the trend of threat actors moving towards fileless, script-driven frameworks that leverage native system components and interpreted languages like Python. Its ability to operate as a fully-featured Remote Access Trojan (RAT) makes it a potent tool for espionage, lateral movement, and post-exploitation operations.

Sources

• New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials, The Hacker News.

• Deep#Door Stealer Targets Passwords, Tokens, SSH Keys, and Wi-Fi Credentials, GBHackers News.

• Deep#Door Stealer Harvests Browser Passwords, Cloud Tokens, SSH Keys, and Wi-Fi Credentials, CyberSecurityNews.

• New Deep#Door Stealer Campaign Spills Browser Passwords, Cloud Tokens, and SSH Keys, Cyber Press.