Overview: The DEEP#DOOR Threat
Security researchers have uncovered a sophisticated Python-based backdoor, designated DEEP#DOOR, which leverages tunneling services to maintain persistent access to compromised systems and steal sensitive information, including browser and cloud credentials. This malware is notable for its stealthy delivery and advanced evasion techniques, making it a significant threat to enterprises and individual users alike.
Infection Chain and Initial Access
The attack begins with the execution of a batch script named install_obf.bat. This script serves as the initial payload, performing key actions to lower system defenses:
- Disables Windows security controls, such as Windows Defender and User Account Control (UAC), to avoid detection.
- Dynamically extracts the main Python backdoor payload from a hidden or obfuscated location within the system.
- Establishes persistence by modifying registry keys or adding scheduled tasks.
Once executed, the backdoor connects to a remote command-and-control (C2) server via a legitimate tunneling service (e.g., ngrok or similar), allowing it to blend in with normal network traffic and bypass firewall restrictions.
How Tunneling Services Aid Evasion
The use of a public tunneling service provides several advantages for attackers:
- Encrypted communication – Traffic appears as normal HTTPS, making it hard to inspect.
- Dynamic endpoint addresses – The C2 server URL changes frequently, complicating blocklisting.
- Legitimate reputation – The tunneling domain is often whitelisted by security tools.
This approach allows DEEP#DOOR to maintain a covert channel for data exfiltration and command reception.
Credential Harvesting Capabilities
One of the primary objectives of DEEP#DOOR is to steal credentials from a wide range of sources:
- Browser credentials – Logins saved in Chrome, Firefox, Edge, and other browsers are extracted from local databases.
- Cloud service tokens – Session cookies and access tokens for services like AWS, Azure, and Google Cloud are targeted.
- VPN and remote access credentials – Stored passwords for corporate VPN clients may also be compromised.
The harvested data is then encrypted and sent to the attacker’s server through the established tunnel, often in small chunks to avoid triggering data loss prevention (DLP) alerts.
Technical Insights into Payload Structure
The Python backdoor is delivered as an obfuscated script that decompresses into a modular framework. Key components include:
- Keylogger module – Captures keystrokes and clipboard content.
- Screen capture module – Takes periodic screenshots or records active windows.
- File exfiltration module – Searches for documents with extensions like .docx, .xlsx, .pdf.
The malware also attempts to disable antivirus software and tamper with Windows Event Logging to erase traces of its activity.
Defense Recommendations
To protect against DEEP#DOOR and similar threats, organizations should implement the following measures:
- Restrict script execution – Use AppLocker or Windows Defender Application Control to block untrusted .bat and .py files.
- Monitor outbound connections – Inspect traffic to known tunneling services using network detection and response (NDR) tools.
- Enforce multi-factor authentication (MFA) – Even if credentials are stolen, MFA can prevent unauthorized access to cloud accounts.
- Regularly rotate credentials – Minimize the impact of a data breach by frequently updating passwords and access tokens.
For more on securing endpoints, refer to our guide on advanced threat detection.
Conclusion
The DEEP#DOOR backdoor exemplifies the growing trend of attackers using legitimate infrastructure to power malicious operations. By combining Python-based stealth, tunneling services for C2, and aggressive credential harvesting, it presents a serious risk to both personal and corporate security. Awareness and proactive defense measures are essential to staying ahead of such evolving threats.