New DEEP#DOOR Python backdoor steals browser, SSH, and cloud credentials through tunneling service

A new Python-based backdoor called DEEP#DOOR can give attackers long-term access to Windows systems while stealing browser passwords, SSH keys, cloud credentials, screenshots, clipboard data, webcam images, and microphone recordings.

Securonix researchers found that the malware uses an obfuscated batch script to disable Windows security controls, extract an embedded Python payload, and create several persistence points on the infected machine.

The backdoor also connects through bore.pub, a public TCP tunneling service. This helps attackers avoid maintaining obvious command-and-control infrastructure and makes malicious traffic harder to separate from legitimate tunneling activity.

How the DEEP#DOOR attack starts

The infection chain begins when a victim runs a batch script named install_obf.bat. Researchers believe the script may be delivered through phishing or similar social engineering methods.

The script does not need to download the main payload from a remote server. Instead, it carries the Python implant inside its own body, extracts it during execution, and rebuilds it as svc.py.

This design reduces the malware’s network footprint. It also gives defenders fewer download events to detect, especially if the attack happens in an environment where scripts already run often.

At a glance

Item	Details
Threat name	DEEP#DOOR
Malware type	Python-based remote access trojan and credential stealer
Primary target	Windows systems
Initial loader	Obfuscated batch script
Main payload	Embedded Python implant named svc.py
C2 method	Public TCP tunneling through bore.pub
Main risk	Credential theft, surveillance, persistence, and lateral movement

What the backdoor can steal

DEEP#DOOR gives attackers a broad set of surveillance and credential theft features. Once it runs, the implant can execute commands, collect system information, monitor users, and steal sensitive access material.

The malware can target credentials stored in Google Chrome, Microsoft Edge, Mozilla Firefox, Windows Credential Manager, cloud configuration files, and SSH directories. It also checks for AWS, Microsoft Azure, and Google Cloud credentials.

That makes a single infected endpoint more dangerous than it first appears. If attackers steal browser passwords, SSH keys, and cloud tokens from one device, they may use those secrets to move into servers, cloud accounts, or internal tools.

Main capabilities

• Remote shell access
• System and network reconnaissance
• Browser password theft
• Windows Credential Manager dumping
• Cloud credential harvesting from AWS, Azure, and Google Cloud paths
• SSH private key extraction
• Keylogging
• Clipboard monitoring
• Screenshot capture
• Webcam access
• Microphone recording
• File upload and download
• Port scanning for lateral movement

Why the tunneling service matters

DEEP#DOOR uses bore.pub, which belongs to the Bore project. Bore is a Rust-based TCP tunneling tool that can expose local ports through a remote server.

Legitimate administrators and developers can use tunneling tools for testing, remote access, and temporary connectivity. Attackers can also abuse the same model to hide their infrastructure and avoid hardcoding a traditional server address inside malware.

Securonix found that DEEP#DOOR scans a large port range and attempts to locate an active tunnel. After connecting, it uses a challenge-response authentication process before receiving commands from the operator.

How DEEP#DOOR stays on infected systems

The backdoor uses several persistence methods at the same time. It can place scripts in the Windows Startup folder, create Registry Run keys, add scheduled tasks, and optionally create WMI event subscriptions.

It also uses a watchdog mechanism. If a defender removes one persistence artifact but misses another, the malware can recreate deleted entries and keep running after reboot.

This layered persistence makes cleanup harder. Security teams need to remove every persistence path, review running processes, inspect memory, and check network logs for tunneling behavior.

Defense evasion is a major part of the attack

DEEP#DOOR does not only steal data. It also tries to blind security tools before and during execution.

Securonix found anti-analysis and defense evasion features such as sandbox detection, debugger detection, virtual machine checks, AMSI patching, ETW patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass attempts, PowerShell logging suppression, timestamp stomping, and event log clearing.

The malware can also wipe command-line arguments from memory. This can make it harder for responders to reconstruct how the script launched and what commands ran during the compromise.

Why cloud teams should pay attention

The cloud credential theft capability makes DEEP#DOOR especially risky for companies that allow long-lived cloud keys or store access tokens on endpoints.

If attackers collect AWS, Azure, or Google Cloud credentials, they may move beyond the infected Windows device. They could access storage buckets, virtual machines, management consoles, development systems, or CI/CD environments, depending on the permissions attached to the stolen credentials.

This is why response teams should not stop after removing the malware. They should rotate exposed browser passwords, revoke cloud tokens, review IAM activity, and check cloud audit logs for suspicious access.

How widespread is DEEP#DOOR?

Current reporting does not show signs of a large-scale campaign. Securonix told The Hacker News that observed use appears limited and somewhat targeted.

Researchers have also not tied the framework to a specific country, industry, or named threat actor. However, the modular design means other attackers could adapt it for different campaigns.

That limited activity should not reduce urgency for defenders. Malware that combines script-based delivery, public tunneling, credential theft, and surveillance can create serious damage even in targeted attacks.

Recommended actions for defenders

• Block or alert on unexpected batch files launched from email attachments, downloads, or temporary folders.
• Monitor Python execution from unusual locations such as user profile directories.
• Audit Startup folders, Registry Run keys, scheduled tasks, and WMI event subscriptions.
• Watch for suspicious outbound connections to bore.pub and unusual dynamic TCP ports.
• Enable PowerShell Script Block Logging and command-line process logging where possible.
• Investigate attempts to disable Defender, SmartScreen, AMSI, ETW, Sysmon, or Event Logs.
• Monitor access to browser SQLite databases, .ssh folders, and cloud credential paths.
• Rotate browser passwords, SSH keys, cloud tokens, and stored credentials after suspected infection.
• Review AWS, Azure, and Google Cloud logs for unusual sign-ins, API calls, and resource access.

What this means for enterprises

DEEP#DOOR shows how attackers can build powerful malware without relying on traditional executable files. A batch script and Python payload can still deliver full remote access, surveillance, and credential theft.

The use of public tunneling infrastructure also shows why network security teams need visibility into outbound traffic, not just inbound connections. Tunneling tools may look harmless until they connect an infected host to an attacker.

For enterprises, the key lesson is simple: treat script execution, credential storage, cloud tokens, and tunneling traffic as connected risks. One compromised Windows endpoint can become a path into browsers, cloud accounts, servers, and internal systems.

FAQ