A newly disclosed Python-based malware framework dubbed Deep#Door enables threat actors to conduct long-term, stealthy espionage operations on Windows systems using a self-contained, obfuscated batch loader, bore.pub tunneling for covert command-and-control (C2), and an arsenal of surveillance and credential-theft capabilities that rival nation-state tooling.
Securonix Threat Research, published a detailed technical breakdown of the campaign on April 28, 2026, marking Deep#Door as one of the most sophisticated Python-based RAT frameworks observed in recent threat intelligence reporting.
How the Infection Chain Begins
The Deep#Door intrusion chain starts with the execution of a heavily obfuscated Windows batch script, install_obf.bat, delivered via phishing or user execution lures (MITRE ATT&CK: T1566, T1204).
What sets this loader apart from conventional malware droppers is its self-referential payload extraction technique: rather than fetching a secondary payload from a remote server, the batch script reads its own file contents using the %~f0 variable reference in PowerShell, then isolates the embedded Python backdoor (svc.py) via regex pattern matching between #PYTHON_START and #PYTHON_END delimiters.
The extracted payload is then written to %LOCALAPPDATA%\SystemServices\svc.py a directory name deliberately chosen to mimic legitimate Windows service paths. This single-file, self-contained delivery model eliminates network-based retrieval stages, significantly reducing detection opportunities for network security monitoring tools.
Before the Python implant executes, the batch dropper performs aggressive pre-execution defense evasion across Windows Defender, PowerShell logging, firewall logging, and the registry.
Using Set-MpPreference cmdlets, it turns off real-time monitoring, behavior monitoring, block-at-first-seen, and IOAV protection, then adds process exclusions for python.exe and pythonw.exe to prevent runtime scanning of the backdoor.
Registry-based suppression targets PowerShell Script Block Logging (Event ID 4104) and Transcription Logging, providing visibility into malicious command execution.
Windows Firewall logging for both dropped and allowed connections is disabled via netsh advfirewall, eliminating outbound C2 traffic records before the backdoor even phones home.
Multi-Layer Persistence: Built to Survive Removal
Deep#Door establishes five overlapping persistence mechanisms to ensure that removing any single artifact does not terminate access:
- Startup Folder: A VBScript launcher (
SystemServices.vbs) is dropped into%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\, triggering silent execution at user logon - Registry Run Key: An entry under
HKCU\Software\Microsoft\Windows\CurrentVersion\Runensures execution redundancy at each login - Scheduled Tasks: Task-based execution provides time-triggered persistence independent of user sessions
- WMI Event Subscriptions: A stealthier mechanism that fires based on system events, surviving the cleanup of traditional startup locations
- Watchdog Thread: A continuously running background thread monitors all persistence artifacts and automatically restores them if deleted, making manual remediation extremely difficult
Once the environment passes validation, svc.py initializes its C2 channel using bore.pub, a legitimate Rust-based public TCP tunneling service.
This design eliminates the need for attacker-owned infrastructure, meaning network-based attribution and blocklisting are significantly harder.
C2 configuration values are obfuscated inside the Python script using Base64 encoding of the host bore.pub decodes from Ym9yZS5wdWI= and the authentication key changeme123 decodes from Y2hhbmdlbWUxMjM= keeping indicators hidden from static analysis.
The implant dynamically generates a port range (41234–41243) and launches up to 100 concurrent worker threads to scan ports 1024–65535 for an active tunnel, ensuring rapid reconnection even if specific ports are blocked.
Authentication uses a custom SHA256 challenge-response handshake: the server sends a 32-character hex challenge, and only implants with the correct embedded key receive an AUTH_OK response, preventing unauthorized tunnel hijacking.
Once the C2 channel is live, Deep#Door’s svc.py implant operates as a full-featured modular RAT with surveillance and data theft capabilities targeting virtually every credential store on a Windows system.
The malware’s collection scope includes credentials from Google Chrome, Mozilla Firefox, Windows Credential Manager, AWS, Google Cloud, and Microsoft Azure configuration files.
Key surveillance and harvesting modules include:
keylog_start()– Continuous keystroke capture via Windows API pollingtake_screenshot()– Full desktop capture via PowerShell and GDI APIswebcam_snap()– Camera access using OpenCV, DirectShow, or native APIs as a fallback chainrecord_audio()– Ambient microphone recording via Windows multimedia APIsclipmon_start()– Real-time clipboard monitoring for copied passwords or tokensget_chrome_passwords()/get_edge_passwords()– SQLite database extraction of browser-stored credentialsget_ssh_keys()– Private SSH key enumeration from user directoriesget_cloud_creds()– AWS, Azure, and GCP credential file harvesting from environment variables and config paths
The implant’s runtime evasion stack is exceptionally deep. _patch_amsi() modifies AMSI scanning functions in memory so all script content returns as benign; _patch_etw() neutralizes ETW telemetry APIs to blind security tools; and _unhook_ntdll() restores a clean, unmodified copy of ntdll.dll in process memory to strip EDR-placed userland hooks.
The implant also wipes its own command-line arguments from memory using _clear_cmdline() and replaces them with benign-looking strings like svchost.exe, hiding execution evidence from incident responders.
Timestamp stomping alters file metadata to mimic legitimate Windows binaries. At the same time, the destructive capability overwrite_mbr() can render a compromised system unbootable, signaling that Deep#Door can pivot from espionage to sabotage on demand.
Mitigation
Security teams should prioritize the following detection and hardening actions based on Securonix’s guidance:
- Enable PowerShell Script Block Logging (Event ID 4104) and process creation logging (Event ID 4688 / Sysmon Event ID 1) to capture decoded runtime commands
- Alert on
Set-MpPreferenceabuse,wevtutillog clearing,sc stop EventLog, and registry modifications under Defender and logging policy paths - Monitor file writes to
%LOCALAPPDATA%\SystemServices\and Python execution from non-standard directories - Hunt for outbound TCP connections to
bore.puband port scanning across the 41234–41243 dynamic port range - Track WMI event subscription creation and watchdog-style self-healing persistence artifacts
- Deploy EDR rules detecting
VirtualProtect,WriteProcessMemory, andCreateRemoteThreadAPI calls indicative of in-memory patching - Audit access to browser SQLite credential databases,
.sshdirectories, and cloud credential paths (.aws,.azure,.config)
MITRE ATT&CK Coverage
Deep#Door maps across 20+ MITRE ATT&CK techniques, including T1059.006 (Python execution), T1572 (Protocol Tunneling via bore.pub), T1546.003 (WMI Event Subscription), T1562.001 (Disable or Modify Tools), T1070.001 (Clear Windows Event Logs), T1056.001 (Keylogging), and T1041 (Exfiltration Over C2 Channel).
FAQ
Q1: What is Deep#Door malware, and how does it work?
Deep#Door is a Python-based backdoor and credential stealer discovered by Securonix that uses an obfuscated batch script to self-extract and deploy a persistent surveillance RAT on Windows systems without relying on external payload downloads.
Q2: How does Deep#Door use bore.pub for command-and-control?
It leverages bore.pub, a legitimate public TCP tunneling service, to route C2 traffic through a trusted third-party platform, eliminating the need for dedicated attacker infrastructure and evading traditional network-based detection and blocklisting.
Q3: What credentials and data does Deep#Door steal?
The malware harvests browser passwords (Chrome, Edge, Firefox), Windows Credential Manager entries, SSH private keys, Wi-Fi credentials, and cloud tokens for AWS, Azure, and GCP, in addition to capturing keystrokes, screenshots, webcam footage, audio, and clipboard data.
Q4: How can organizations detect and defend against Deep#Door?
Organizations should enable PowerShell Script Block Logging, monitor for tampering with Defender configuration and the creation of WMI persistence, hunt for Python processes in AppData directories, and block or alert on outbound connections to bore.pub and its associated dynamic port ranges.
About the Author
