Cybersecurity researchers on Thursday disclosed a Python-based backdoor framework called DEEP#DOOR that can maintain persistence on Windows systems and steal sensitive data, including browser passwords, cloud credentials, screenshots and audio, according to a technical analysis from Securonix.
KEY FACTS
- Initial access The infection chain begins with a batch file called install_obf.bat.
- Persistence The malware can use Startup folder scripts, Registry Run keys, scheduled tasks and optional WMI subscriptions.
- C2 channel It connects to bore.pub, a public TCP tunneling service.
- Data theft It targets credentials from Chrome, Firefox, Windows Credential Manager, SSH keys and cloud accounts.
- Defense evasion The code includes sandbox, debugger and virtual machine checks plus logging suppression and other anti-analysis steps.
The batch script is believed to spread through phishing, but the scale of the campaign and whether any systems were successfully infected are not known. The implant is embedded in the dropper script, then extracted and executed at runtime, which reduces the need to contact outside infrastructure and can limit forensic traces.
Once active, the malware can support reverse shells, system reconnaissance, keylogging, clipboard monitoring, screenshot capture, webcam access and ambient audio recording. The report also says it can extract SSH keys and credentials stored in Amazon Web Services, Google Cloud and Microsoft Azure accounts.
DEEP#DOOR also attempts to evade detection by patching AMSI and Event Tracing for Windows, unhooking NTDLL, tampering with Microsoft Defender, bypassing SmartScreen and clearing logs. It uses watchdog logic to recreate persistence artifacts if they are removed.
WHY IT MATTERS
The disclosure shows how script-driven malware can rely on native Windows features and public tunneling services to stay hidden while maintaining long-term access. That combination can make detection, response and cleanup more difficult for affected organizations.