By MSB
A new Python-based threat is raising alarms in the cybersecurity community. Researchers have identified an advanced backdoor named DEEP#DOOR, capable of maintaining persistent access and stealing credentials both locally and in the cloud using public tunneling services.
A Silent Attack from the StartThe infection chain begins with the execution of a malicious script (install_obf.bat) that disables Windows security controls and dynamically extracts a payload in Python hidden within the file itself.
This approach reduces reliance on external infrastructure, complicating forensic detection and allowing the malware to operate with greater stealth.
Persistence and Full System ControlOnce executed, the backdoor establishes multiple persistence mechanisms:
- Scripts in the startup folder
- Registry keys (Run keys)
- Scheduled tasks
- WMI subscriptions
Furthermore, it incorporates self-correction mechanisms that restore these components if they are deleted, complicating remediation.
Tunneling: the Invisible New C2The most distinctive element of the attack is the use of a public tunneling service called bore[.]pub as the command and control (C2) channel.
Instead of relying on dedicated servers, the attackers:
- Encapsulate communication within legitimate TCP tunnels
- Hide malicious traffic within seemingly normal flows
- Eliminate the need for their own infrastructure
This allows the malware to pass unnoticed on corporate networks and complicates its blocking without affecting legitimate services.
Espionage and Credential Theft CapabilitiesThe backdoor offers a wide range of espionage functionalities:
- Remote command execution (reverse shell)
- Keylogging and clipboard monitoring
- Screenshot capture and webcam access
- Ambient audio recording
- Browser credential theft
- Extraction of SSH keys
- Access to cloud credentials (AWS, Google Cloud, Azure)
This level of access makes DEEP#DOOR a highly dangerous tool for enterprise environments.
Advanced Defense EvasionThe malware incorporates multiple techniques to avoid detection:
- Detection of sandboxes, virtual machines, and debuggers
- Manipulation of Microsoft Defender
- Bypass of SmartScreen
- Log suppression and anti-forensics
- Timestamp modification
It also disables mechanisms like AMSI and ETW, reducing the visibility of traditional security tools.
An Evolving PatternThis type of threat reflects a clear trend: the use of interpreted languages like Python to create flexible, portable, and hard-to-detect malware.
Furthermore, the use of legitimate services—such as tunneling platforms—indicates a shift toward attacks that completely mimic normal traffic.
ConclusionDEEP#DOOR represents a significant evolution in modern backdoors. Not only for its credential theft capabilities, but for its focus on hiding within legitimate infrastructures and minimizing its footprint.
For security teams, the challenge is no longer just detecting malware, but identifying anomalous behavior within seemingly reliable services.