Full Report
Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an
Analysis Summary
# Tool/Technique: DEEP#DOOR
## Overview
DEEP#DOOR is a sophisticated Python-based backdoor framework and Remote Access Trojan (RAT). It is designed for stealthy, long-term persistence and extensive information harvesting. The tool is notable for its "fileless" delivery method—where the core Python payload is embedded within a batch script—and its use of legitimate tunneling services to bypass traditional firewall protections.
## Technical Details
- **Type:** Malware family / RAT Framework
- **Platform:** Windows
- **Capabilities:** Persistence, Credential Theft (Browser/Cloud), Surveillance, Evasion, Remote Command Execution
- **First Seen:** April 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1059.006 - Command and Scripting Interpreter: Python
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (AMSI, ETW, Defender)
- T1070.006 - Indicator Removal: Timestomp
- T1112 - Modify Registry
- T1620 - Reflective Code Loading
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- T1528 - Steal Application Web Tokens (Cloud Credentials)
- **TA0011 - Command and Control**
- T1572 - Protocol Tunneling
## Functionality
### Core Capabilities
- **Information Harvesting:** Extracts credentials from Chrome and Firefox, SSH keys, and Windows Credential Manager.
- **Surveillance:** Features keylogging, clipboard monitoring, screen capture, webcam access, and ambient audio recording.
- **Cloud Theft:** Targets credentials for AWS, Google Cloud, and Microsoft Azure.
- **Remote Access:** Establishes a reverse shell for direct operator command execution.
### Advanced Features
- **Legacy Bypass:** Uses the Rust-based tunneling service `bore[.]pub` to bypass NAT and firewalls without dedicated C2 infrastructure.
- **Aggressive Evasion:** Patches AMSI and ETW, unhooks NTDLL, suppresses PowerShell logging, and clears system logs.
- **Anti-Analysis:** Detects sandboxes, debuggers, and virtual machines.
- **Self-Healing Persistence:** Employs a "watchdog" mechanism that monitors persistence artifacts (Registry keys, tasks) and recreates them if deleted.
## Indicators of Compromise
- **File Hashes:** *(Specific SHA256 hashes not provided in article; refer to Securonix report)*
- **File Names:**
- `install_obf.bat` (Initial dropper)
- `svc.py` (Extracted Python payload)
- **Registry Keys:** Check `Run` keys and WMI subscriptions for suspicious Python executions.
- **Network Indicators:**
- `bore[.]pub` (C2 Tunneling domain)
- **Behavioral Indicators:**
- Disabling of Windows Defender and SmartScreen.
- Unexpected Python processes spawning from batch scripts.
- Use of `timestomp` on system directories.
## Associated Threat Actors
- Currently unattributed (Assessed to use phishing for initial delivery).
## Detection Methods
- **Signature-based:** Monitoring for the strings and structure of the `install_obf.bat` dropper.
- **Behavioral:**
- Identifying illicit patching of `ntdll.dll` or AMSI/ETW functions in memory.
- Detecting unauthorized creation of scheduled tasks or WMI event consumers.
- Monitoring for outbound connections to known tunneling services like `bore[.]pub`.
## Mitigation Strategies
- **Prevention:** Implement strict email filtering to block suspicious `.bat` or script-based attachments.
- **Endpoint Hardening:**
- Disable or restrict the use of Windows Script Host and PowerShell for non-administrative users.
- Enforce Application Control (e.g., AppLocker) to prevent unauthorized Python execution.
- **Network Policy:** Block access to known public tunneling and proxying services at the firewall level.
## Related Tools/Techniques
- **Bore:** The legitimate Rust-based tunneling tool leveraged for C2 communication.
- **Living-off-the-Land (LotL):** Use of native Windows components (WMI, Task Scheduler) for persistence.