-
DEEP#DOOR hides a Python backdoor inside a batch script, extracts it at runtime, and avoids external downloads entirely.
-
The malware uses a public tunneling service to maintain access and issue commands while keeping its traffic hidden.
-
It goes for SSH keys, browser credentials, as well as cloud accounts across Google Cloud, AWS, and Microsoft Azure.
Cybersecurity researchers just blew up a sneaky backdoor framework that runs on Python. The name is DEEP#DOOR, and it carries alongside tools for long-term access plus aggressive data theft.
This malware does not take the usual method of getting its payload from the internet. Instead, it hides all that it needs within the installer from the start, making it tricky to fish out.
Members of the Securonix research group, Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee, disclosed their findings, which paint a concerning picture of the scale of this sneaky framework in the long run.
DEEP#DOOR Hides Its Core Payload Inside the Dropper
The attack begins with a batch script called “install_obf.bat.” This script does three things immediately. It disables Windows security controls, extracts a hidden Python payload embedded directly inside it, and sets up persistence across the system.
According to the Securonix team, the intrusion starts with executing a batch script to take down Windows security, dynamically collect a hidden Python payload, and initialize persistence via multiple mechanisms like scheduled tasks, registry Run keys, Startup folder scripts, and WMI subscriptions.
Embedding the payload directly inside the dropper is the key design decision here. The malware reconstructs and runs the Python implant from within the script itself, which removes the need to contact external servers repeatedly and leaves far fewer traces for investigators to follow. Researchers believe phishing delivers the batch script, though the full extent of active infections remains unclear.
Once the malware runs, it connects to “bore.pub,” a legitimate Rust-based tunneling service. Using this public tool gives the attacker several advantages. It takes away the demand for dedicated infrastructure, morphs malicious traffic into normal network activity, and upholds server details completely without the payload. The bad actor then commands it through this tunnel.
DEEP#DOOR can carry out a reverse shell, record screenshots, log keystrokes, open the webcam, record ambient audio, track clipboard activity, and collect credentials from web browsers and Windows Credential Manager. Furthermore, it harvests SSH keys and hijacks cloud data from Google Cloud, Amazon Web Services, as well as Microsoft Azure.
Malware Counters Detection and Removal
DEEP#DOOR does not “run and hope” for the best. It actively takes down any tools that would blow its cover.
The framework unhooks NTDLL, manipulates Microsoft Defender, dodges SmartScreen, overpowers PowerShell logging, patches AMSI (Antimalware Scan Interface) and Event Tracing for Windows, clears off command-line history, stomps timestamps, and clears logs.
The ease with which malware can disable these built-in Windows protections raises serious questions about the operating system’s security architecture, questions amplified by Mozilla’s criticism of Microsoft for forcing Copilot on users without consent, which suggests the company prioritizes feature rollouts over user control and security transparency.
Additionally, it looks out for debuggers, sandboxes, as well as virtual machines before commencing its operations. According to Securonix, it prioritizes dodging detection and forensic visibility so it directly tampers with Windows security as well as telemetry mechanisms.
It also installs itself into the “Windows Startup” folder, writes to Registry Run keys, and develops scheduled tasks. What’s more! It runs a watchdog mechanism that keeps an eye on these persistence points. If anything removes them, the watchdog recreates them automatically, making cleanup significantly harder.
A Glimpse Into Where Malware is Heading
DEEP#DOOR operates as a fully featured Remote Access Trojan capable of espionage, lateral movement, and long-term post-exploitation operations. The Securonix team put it plainly: “DEEP#DOOR pinpoints the non-stop growth of threat groups toward fileless, script-based infiltration frameworks that heavily use native system components and interpreted languages like Python.”
The researchers added that by embedding the payload inside the dropper and extracting it only at runtime, the malware cuts its external dependencies significantly and limits the windows where traditional detection tools can catch it.
For security teams, the warning is clear. Monitoring for UAC bypass attempts, restricting user privileges, and keeping systems fully patched remain the strongest first lines of defense against a threat that is clearly built to outlast standard incident response.
