Credential‑Stealing Python Backdoor Uses Tunneling Services for Stealthy Data Theft

Security researchers have uncovered a stealthy Python‑based backdoor framework known as DEEP#DOOR, designed to provide long‑term access to compromised Windows systems while quietly collecting a broad range of sensitive data.

According to a report from Securonix, the infection sequence begins with a malicious batch script named install_obf.bat. Once executed, the script weakens or disables Windows security protections, extracts an embedded Python payload (svc.py) at runtime, and establishes persistence through multiple techniques. These include Startup folder scripts, Registry Run entries, scheduled tasks, and, in some configurations, Windows Management Instrumentation (WMI) event subscriptions.

Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee note that the delivery mechanism relies on traditional attack vectors such as phishing emails. However, the overall scope of the campaign remains unclear, and it is currently unknown how many infections if any have resulted in successful long‑term compromise.

Gaikwad told The Hacker News that there is no evidence so far indicating widespread, high‑volume deployments of the framework. Instead, observed activity suggests a more limited and selective usage pattern, pointing to targeted operations rather than mass exploitation.

The researchers also stated that they have not yet identified consistent indicators tying the activity to specific industries or geographic regions. That said, DEEP#DOOR’s modular design leaves room for adaptation, meaning other threat actors could repurpose the framework for different operational goals over time.

Embedded payload and stealthy execution

One of the more notable aspects of the campaign is how the malware handles payload delivery. Rather than downloading its core implant from external infrastructure, the Python backdoor is embedded directly inside the dropper script. At runtime, the malware extracts, reconstructs, and launches the implant locally.

This approach drastically reduces outbound network traffic during initial execution and minimizes artifacts that investigators typically rely on during forensic analysis. By limiting its dependence on external resources, DEEP#DOOR lowers its visibility and evades many traditional detection mechanisms.

Command‑and‑control via tunneling service

Once active, the backdoor connects to bore[.]pub, a legitimate Rust‑based TCP tunneling service. Through this channel, operators can issue commands and remotely control the infected host while blending malicious traffic with benign tunneling activity.

Using the tunneled connection, DEEP#DOOR supports an extensive set of surveillance and post‑exploitation capabilities, including:

• Reverse shell access
• System and environment reconnaissance
• Keylogging and clipboard capture
• Screenshot collection
• Webcam activation
• Ambient audio recording
• Browser password and session harvesting
• SSH private key extraction
• Credential theft from Google Chrome, Mozilla Firefox, and Windows Credential Manager
• Cloud credential harvesting targeting AWS, Google Cloud, and Microsoft Azure

Leveraging a public tunneling service for command‑and‑control eliminates the need for attackers to manage dedicated infrastructure, hides malicious traffic among legitimate connections, and avoids hard‑coding server details into the payload.

Defense evasion and anti‑analysis features

DEEP#DOOR also incorporates a wide range of defensive evasion and anti‑analysis techniques aimed at bypassing security controls and complicating incident response. These include sandbox, debugger, and virtual machine detection, as well as tampering with Windows security components such as AMSI and Event Tracing for Windows (ETW).

Additional measures include NTDLL unhooking, interference with Microsoft Defender, SmartScreen bypasses, suppression of PowerShell logging, command‑line artifact removal, timestamp manipulation, and system log clearing. Taken together, these features allow the malware to remain concealed while limiting the quality and availability of forensic evidence.

Resilient persistence mechanisms

Persistence is another key focus of the framework. The malware deploys multiple overlapping persistence mechanisms such as Startup folder scripts, Registry Run keys, and scheduled tasks to ensure continued execution across reboots.

To further complicate remediation, DEEP#DOOR employs a watchdog component that continuously checks for the presence of its persistence artifacts. If any are removed, the malware recreates them automatically, forcing responders to neutralize all mechanisms simultaneously to fully clean an infected system.

A full‑featured remote access platform

Securonix characterized the final implant as a fully capable Remote Access Trojan (RAT) engineered for covert, long‑term operations. Its feature set supports espionage, lateral movement, credential theft, and post‑exploitation activity, all while prioritizing stealth and minimal forensic exposure.

The researchers emphasize that DEEP#DOOR exemplifies a broader trend in threat actor tooling: the shift toward fileless or script‑driven attack frameworks that rely heavily on native operating system components and interpreted languages such as Python.

By embedding the payload directly within the initial dropper and unpacking it only at runtime, the malware minimizes reliance on external infrastructure and significantly narrows the windows in which traditional security tools can detect malicious behavior.