Security teams face a fresh Windows threat after researchers identified Deep#Door, a Python-based backdoor framework built for stealth, persistence, surveillance and credential theft across compromised machines.
The malware stands out because it does not behave like a conventional loader that repeatedly downloads external payloads. Its attack chain begins with an obfuscated batch file named install_obf. bat, which weakens host defences, extracts an embedded Python payload called svc. py, and plants multiple persistence mechanisms before opening a remote command channel. The approach reduces network signals that defenders normally use to detect staged intrusions.
Deep#Door has been assessed as a fully featured remote access Trojan capable of long-term espionage. Once installed, it can execute commands, record keystrokes, monitor clipboard activity, capture screenshots, access webcams, record microphone audio, collect browser credentials, extract SSH keys, steal cloud tokens, gather Wi-Fi credentials and probe Windows Credential Manager. Its capabilities make it relevant to both financially motivated theft and intelligence-gathering operations.
The framework uses bore. pub, a public TCP tunnelling service, for command-and-control communications. This allows an operator to connect to infected hosts without maintaining easily identifiable dedicated infrastructure. Tunnelling services have legitimate uses, but their misuse by attackers gives malicious traffic a better chance of blending into ordinary network activity, particularly where security teams rely on blocklists or static indicators.
Persistence is layered across several Windows features. The loader can create scripts in the Startup folder, add registry Run keys, schedule tasks and use optional Windows Management Instrumentation subscriptions. Watchdog-style self-healing components are also designed to restore the implant if parts of the infection chain are removed. This layered design increases the cost of remediation and raises the risk that a partially cleaned endpoint may remain under attacker control.
The malware also attempts to blunt detection before its main implant runs. It tampers with Microsoft Defender settings, suppresses PowerShell logging, interferes with SmartScreen, disables or clears event logs, modifies firewall logging and uses command-line wiping and timestamp changes to make forensic reconstruction more difficult. Advanced evasion features include sandbox detection, debugger checks, virtual machine identification, AMSI and ETW patching, and NTDLL unhooking.
The initial delivery method has not been definitively established, though phishing and script-based lures remain plausible routes because the intrusion begins with execution of a batch script. No evidence has yet shown broad, high-volume deployment, and available analysis points instead to limited or targeted use. No consistent victim geography or industry pattern has been confirmed, which makes sector-specific attribution premature.
Deep#Door reflects a wider shift in intrusion tradecraft. Attackers increasingly use scripting languages, living-off-the-land techniques and legitimate infrastructure to lower the visibility of malware operations. Python gives operators flexibility, rapid development and modular capability expansion, while Windows scripting and administrative interfaces provide familiar execution paths that can appear benign unless monitored behaviourally.
For enterprises, the risk is amplified by the type of data targeted. Browser credential stores, SSH directories and cloud configuration paths often contain tokens and secrets that can support lateral movement beyond the first compromised machine. Access to cloud credentials may allow attackers to move into infrastructure, storage buckets, development environments or business applications, depending on privilege levels and security controls.
Detection will depend less on file names alone and more on behavioural correlation. Warning signs include batch scripts reading their own contents, creation of svc. py under local application data paths, Startup folder VBS launchers, registry entries referencing SystemServices, suspicious scheduled tasks, Defender configuration changes, unusual PowerShell logging suppression, repeated outbound connections to bore. pub and sequential port activity in the 41234 to 41243 range.
The case also underlines the limits of endpoint controls when attackers disable telemetry before deployment. Security teams will need centralised log collection, tamper-resistant endpoint monitoring and alerting around security control changes. Restricting script execution, enforcing application control, reducing local administrator privileges and reviewing outbound tunnelling traffic can reduce exposure.
The malware stands out because it does not behave like a conventional loader that repeatedly downloads external payloads. Its attack chain begins with an obfuscated batch file named install_obf. bat, which weakens host defences, extracts an embedded Python payload called svc. py, and plants multiple persistence mechanisms before opening a remote command channel. The approach reduces network signals that defenders normally use to detect staged intrusions.
Deep#Door has been assessed as a fully featured remote access Trojan capable of long-term espionage. Once installed, it can execute commands, record keystrokes, monitor clipboard activity, capture screenshots, access webcams, record microphone audio, collect browser credentials, extract SSH keys, steal cloud tokens, gather Wi-Fi credentials and probe Windows Credential Manager. Its capabilities make it relevant to both financially motivated theft and intelligence-gathering operations.
The framework uses bore. pub, a public TCP tunnelling service, for command-and-control communications. This allows an operator to connect to infected hosts without maintaining easily identifiable dedicated infrastructure. Tunnelling services have legitimate uses, but their misuse by attackers gives malicious traffic a better chance of blending into ordinary network activity, particularly where security teams rely on blocklists or static indicators.
Persistence is layered across several Windows features. The loader can create scripts in the Startup folder, add registry Run keys, schedule tasks and use optional Windows Management Instrumentation subscriptions. Watchdog-style self-healing components are also designed to restore the implant if parts of the infection chain are removed. This layered design increases the cost of remediation and raises the risk that a partially cleaned endpoint may remain under attacker control.
The malware also attempts to blunt detection before its main implant runs. It tampers with Microsoft Defender settings, suppresses PowerShell logging, interferes with SmartScreen, disables or clears event logs, modifies firewall logging and uses command-line wiping and timestamp changes to make forensic reconstruction more difficult. Advanced evasion features include sandbox detection, debugger checks, virtual machine identification, AMSI and ETW patching, and NTDLL unhooking.
The initial delivery method has not been definitively established, though phishing and script-based lures remain plausible routes because the intrusion begins with execution of a batch script. No evidence has yet shown broad, high-volume deployment, and available analysis points instead to limited or targeted use. No consistent victim geography or industry pattern has been confirmed, which makes sector-specific attribution premature.
Deep#Door reflects a wider shift in intrusion tradecraft. Attackers increasingly use scripting languages, living-off-the-land techniques and legitimate infrastructure to lower the visibility of malware operations. Python gives operators flexibility, rapid development and modular capability expansion, while Windows scripting and administrative interfaces provide familiar execution paths that can appear benign unless monitored behaviourally.
For enterprises, the risk is amplified by the type of data targeted. Browser credential stores, SSH directories and cloud configuration paths often contain tokens and secrets that can support lateral movement beyond the first compromised machine. Access to cloud credentials may allow attackers to move into infrastructure, storage buckets, development environments or business applications, depending on privilege levels and security controls.
Detection will depend less on file names alone and more on behavioural correlation. Warning signs include batch scripts reading their own contents, creation of svc. py under local application data paths, Startup folder VBS launchers, registry entries referencing SystemServices, suspicious scheduled tasks, Defender configuration changes, unusual PowerShell logging suppression, repeated outbound connections to bore. pub and sequential port activity in the 41234 to 41243 range.
The case also underlines the limits of endpoint controls when attackers disable telemetry before deployment. Security teams will need centralised log collection, tamper-resistant endpoint monitoring and alerting around security control changes. Restricting script execution, enforcing application control, reducing local administrator privileges and reviewing outbound tunnelling traffic can reduce exposure.
Topics
Technology