DEEP#DOOR: A new Python backdoor is quietly stealing all your passwords through a secret tunnel.
Summary of the campaign
DEEP#DOOR is a Python-written backdoor recently discovered by Securonix, with a more notable operation method than its payload. Instead of using traditional C2 infrastructure, the malware embeds the entire RAT directly into the dropper script and uses bore.pub—an open-source tunneling service to conceal the control channel, making the malicious traffic appear legitimate. After infiltrating a system, DEEP#DOOR can steal browser credentials, SSH keys, Windows Credential Manager, and cloud tokens from AWS, Azure, or Google Cloud, while maintaining persistence through a self-recovery mechanism if deleted. Although there are no signs of widespread deployment, DEEP#DOOR indicates a new malware trend leveraging legitimate services and living-off-the-land techniques to evade EDR and extend its presence in the system.
Event timeline
| Event timeline | Event |
|---|---|
| Q1/2026 | DEEP#DOOR appears and is distributed via phishing (initial vector is a batch script). |
| Tháng 4/2026 | Securonix (Gaikwad, Sangwan, Beardslee) completes technical analysis. |
| Tháng 4/2026 | Securonix shares the report with The Hacker News; SOC Prime releases detection rules. |
| 01/05/2026 | SOC Prime publishes the detection rules and IOC on the Threat Detection Marketplace. |
Attack sequence
Phase 1: Initial Access (T1566 – Phishing)
The dropper install_obf.bat is distributed via phishing—email or downloaded file. This is a common vector, with no evidence of exploiting software vulnerabilities for initial execution.
Phase 2: Execution & Payload Extraction (T1204.002, T1027, T1059.001)
When the victim runs install_obf.bat, the batch script immediately:
Disables Windows Defender, SmartScreen, firewall logging, and PowerShell logging using Set-MpPreference and netsh advfirewall
Uses PowerShell with regex self-referencing to parse the .bat file itself, extract, and decode the Python payload (svc.py) encoded in base64/XOR embedded inside
Launches svc.py via the Python interpreter
This is the payload embedding technique—the entire RAT is contained within the dropper, eliminating the need to download from a C2 server, reducing network footprint during the initial infection stage.
Phase 3: Defense Evasion (T1562.001, T1562.004, T1070.001, T1070.006, T1497.003, T1620)
Before establishing persistence, svc.py performs a series of evasions:
Sandbox/VM/Debugger detection: Checks environment characteristics, aborts if detected
AMSI patching: Disables Antimalware Scan Interface by patching in-memory
ETW patching: Disables Event Tracing for Windows to blind monitoring tools
NTDLL unhooking: Restores NTDLL from disk to bypass EDR hooks
Log clearing: Stops and deletes EventLog, Sysmon
Timestomping: Alters file timestamps to hinder forensics
Phase 4: Persistence (T1547.001, T1053, T1546)
DEEP#DOOR establishes four layers of persistence simultaneously:
SystemServices.vbs is placed at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
Registry Run key points to Python interpreter + svc.py
Scheduled Task serves as a backup fallback
WMI subscription (optional) acts as the fourth layer
More importantly, the malware deploys a watchdog mechanism—a separate process that continuously checks whether the persistence artifacts still exist. If they are deleted, the watchdog recreates them, making manual remediation unsuccessful unless the watchdog is terminated first.
Phase 5: C2 Communication (T1572 – Protocol Tunneling)
svc.py connects to bore.pub, an open-source TCP tunneling service, on a random port within the range 41234–41243. Once the tunnel is established, the malware performs challenge-response authentication with the operator.
Reasons for using a public tunneling service instead of a dedicated C2:
No need to buy or rent separate C2 infrastructure
Traffic blends into the baseline of legitimate services
The domain bore.pub is difficult to block without affecting legitimate use cases
The operator's actual IP is hidden behind the tunnel
Phase 6: Collection & Exfiltration (T1056.001, T1113, T1125, T1123, T1115, T1003, T1552, T1555, T1041)
Once the C2 is active, DEEP#DOOR fully supports surveillance and credential theft:
Credential harvesting:
Passwords from Google Chrome, Mozilla Firefox, Windows Credential Manager
SSH private keys
Cloud credentials: AWS (~/.aws/credentials), GCP tokens, Azure CLI tokens
Surveillance: Keylogging, Screenshot capture, Webcam video recording, Microphone audio capture, Clipboard monitoring Post-exploitation: Reverse shell, System/network reconnaissance, Fork bomb (T1499.002) — optional for causing DoS
Detailed technical analysis
Self-extracting dropper — no need to download the payload
The install_obf.bat file embeds the entire Python RAT, encoded in base64/XOR, hidden at the end of the script. When executed, it reads itself using PowerShell (Get-Content $MyInvocation.MyCommand.Path), locates the encoded blob, decodes it into svc.py, and runs it immediately. There are no network requests during the infection phase—challenging the assumption that "monitoring egress is sufficient." Before extraction, the script disables everything: Windows Defender (Set-MpPreference), firewall logging (netsh advfirewall), and PowerShell Script Block Logging. When the RAT starts, the environment is silent.
Disable both AMSI and ETW—blinding AV and EDR simultaneously.
The first step of svc.py is to check the environment: CPU cores, RAM, disk, process list (Wireshark, x64dbg...), and VM registry artifacts. Detect sandbox → self-terminate.
Then, the RAT performs in-memory patching:
AMSI: writes byte 0xC3 (RET instruction) at the start of the AmsiScanBuffer function in amsi.dll—each time AV calls this function to scan a script, it returns immediately, doing nothing.
ETW: similarly with EtwEventWrite in ntdll.dll—all telemetry events are swallowed before being logged.
NTDLL unhooking: reloads a clean version of ntdll.dll from disk to bypass user-mode hooks of EDR.
EventLog and Sysmon are stopped, and timestamps are altered to hinder forensics.
Watchdog — why does it remain even after removing persistence?
DEEP#DOOR creates four layers of persistence simultaneously: SystemServices.vbs in the Startup folder, Registry Run key, Scheduled Task, and WMI subscription option. What sets it apart is the watchdog—a separate thread that continuously checks if the artifacts are still present and recreates them immediately if they're missing. The direct consequence for IR: deleting persistence before killing the process is useless—the artifacts will reappear in seconds. Terminate the process first, then clean up the artifacts—this order is essential.
C2 qua bore.pub — hidden behind public tunnel
svc.py connects to bore.pub on a random port within the range 41234–41243, performing challenge-response authentication with the operator. bore.pub is a legitimate tunneling service, popular among developers, with no negative reputation in threat feeds, making it difficult to block without causing false positives. The operator's actual IP is never exposed in the victim's logs.
When the tunnel is active: keylogging, screenshots, webcam, microphone, and clipboard stream to the operator. Credential harvesting simultaneously targets Chrome/Firefox, Windows Credential Manager, SSH keys, and cloud credentials (~/.aws/credentials, GCP tokens, Azure CLI tokens)—compromising one endpoint can jeopardize the entire organization's cloud accounts.
IOC & Artifacts
C2 Tunneling Service
- bore[.]pub
File Hash
2c2386ef6416ce821e377223d2a3b79f2b7ea9e8dc9ed2549f4676fe060b7ddd
84515368e2f8ff4467e38bf48dabb267b5b895f54df5be5ceb5428a414ae15e9
4e3ae82eed8980bbc396020c197c767ba22483a124a00ee04c264dd394378485
c6f00569913cd6bd1017b26bd33bbb28f1d92b9c9e0f830adcc24af59e181d3e
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Notes |
|---|---|---|---|
| Initial Access | T1566 | Phishing | Dropper distributed via phishing |
| Execution | T1204.002 | User Execution: Malicious File | The victim runs .bat |
| Execution | T1059.001 | PowerShell | Use PowerShell to extract payload |
| Defense Evasion | T1027 | Obfuscated Files or Information | Base64/XOR embedded payload |
| Defense Evasion | T1562.001 | Disable or Modify Tools | Tắt Windows Defender, AMSI |
| Defense Evasion | T1562.004 | Disable or Modify System Firewall | Disable firewall logging |
| Defense Evasion | T1070.001 | Clear Windows Event Logs | Clear EventLog, Sysmon |
| Defense Evasion | T1070.006 | Timestomp | Change file timestamps |
| Defense Evasion | T1497.003 | Virtualization/Sandbox Evasion: Time Based | Sandbox/VM detection |
| Defense Evasion | T1620 | Reflective Code Loading | In-memory execution |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder | VBS trong Startup + Run key |
| Persistence | T1053 | Scheduled Task/Job | Scheduled Task backup |
| Persistence | T1546 | Event Triggered Execution | WMI subscription (optional) |
| Credential Access | T1003 | OS Credential Dumping | Windows Credential Manager |
| Credential Access | T1552.001 | Credentials In Files | Cloud credential files |
| Credential Access | T1552.004 | Private Keys | SSH key extraction |
| Credential Access | T1555 | Credentials from Password Stores | Browser password stores |
| Collection | T1056.001 | Keylogging | Real-time keystroke capture |
| Collection | T1113 | Screen Capture | Screenshot |
| Collection | T1125 | Video Capture | Webcam recording |
| Collection | T1123 | Audio Capture | Microphone recording |
| Collection | T1115 | Clipboard Data | Clipboard monitoring |
| Discovery | T1082 | System Information Discovery | OS, hardware recon |
| Discovery | T1518 | Software Discovery | Installed software enum |
| Discovery | T1057 | Process Discovery | Process listing |
| Discovery | T1046 | Network Service Discovery | Network recon |
| Discovery | T1526 | Cloud Service Discovery | Cloud config discovery |
| C2 | T1572 | Protocol Tunneling | bore.pub TCP tunnel |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Data qua tunnel |
| Impact | T1499.002 | Service Exhaustion Flood | Fork bomb (optional) |
Assessment
DEEP#DOOR is not the most technically sophisticated malware—no zero-day, no driver-level rootkit, no firmware implant. However, it represents a concerning trend: an attack chain optimally designed to bypass typical detection layers without high complexity. Four points make us consider DEEP#DOOR a significant threat to the Vietnamese enterprise environment:
First, the mechanism of embedding the payload in the dropper breaks the assumption of many detection rules that look for standalone files being downloaded. Without network downloads during the infection phase, solutions that only monitor network egress at the beginning will overlook it. Second, using bore.pub is a smart choice for operational security. Many organizations do not block tunneling services because they have legitimate uses (developer tools, remote access). We frequently see organizations in Vietnam lacking visibility into outbound connections to public tunnel/proxy services.
Third, the watchdog mechanism sets it apart from typical RATs. In practice, incident responders often focus on removing persistence before killing the process—with DEEP#DOOR, this order is reversed, and without this knowledge, cleanup will fail. Fourth, the list of targeted credentials is very comprehensive—not just browser passwords but also SSH keys and cloud tokens. With the trend of Vietnamese enterprises accelerating cloud adoption (AWS, Azure, GCP), a compromised instance can lead to a cloud account takeover—consequences far beyond a single endpoint.
Regarding attribution: there is currently no evidence linking DEEP#DOOR to a specific threat actor. It is likely a commodity tool or framework that multiple actors can use for different targets—this actually increases risk, not reduces it.
Khuyến nghị
Immediate (0-24h)
Check network logs for any outbound connections to bore.pub, especially on ports 41234–41243. This is the highest confidence IoC with the fewest false positives.
Hunt process tree: look for python.exe spawned from wscript.exe, cscript.exe, or cmd.exe.
Review the Startup folder on all Windows endpoints: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ — investigate any .vbs files of unknown origin.
Check PowerShell logs (if logging is enabled) for the pattern Set-MpPreference -Disable*.
Short-term (1-7 days)
Enable PowerShell Script Block Logging if not already enabled—this is a prerequisite to detect DEEP#DOOR and dozens of similar malware. Command: Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Deploy detection rules: Prioritize the rule "outbound TCP to bore.pub" and "Python spawned from scripting host" in SIEM/EDR.
Audit cloud credentials: Review AWS IAM, Azure AD, GCP IAM—check for unusual access patterns in the past 30 days, especially from new IPs/locations.
User awareness: Remind about phishing emails with attached .bat files or archives containing scripts.
Long-term
Network egress visibility: Many organizations have blind spots with outbound TCP to tunneling/proxy services. Consider comprehensive DNS/proxy logging, not just HTTP/HTTPS.
EDR with memory protection: In-memory AMSI/ETW patching techniques require EDR capable of detecting API hook manipulation—not all EDRs cover this aspect.
Credential hygiene: Minimize storing cloud credentials as plaintext files (~/.aws/credentials). Switch to credential providers with short-lived tokens (AWS IAM Roles, Azure Managed Identity).
Incident response playbook: Add the step "terminate malware process first, then clean up persistence" to the IR playbook—especially important when dealing with malware with a watchdog mechanism.
Refer
https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html
https://www.securonix.com/blog/deepdoor-python-backdoor-and-credential-stealer
https://cybersecuritynews.com/deepdoor-stealer-harvests-browser-passwords/
https://socprime.com/active-threats/deepdoor-stealer-stealthy-python-backdoor/
