"The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.
The implant at a glance: DEEP#DOOR as a Python-based backdoor framework
Researchers at Securonix disclosed a stealthy, Python-driven backdoor framework they call DEEP#DOOR. The researchers describe an intrusion chain that begins with a batch dropper and culminates in a fully featured Remote Access Trojan (RAT). According to the report, the dropper reduces outward dependencies by embedding the core Python implant directly inside the batch script, extracting and reconstructing it at runtime to limit calls to external infrastructure and the forensic footprint left on the host.
How the dropper works: install_obf.bat and embedded svc.py
The initial artifact is a batch script named install_obf.bat. Securonix reports that the script performs multiple actions: it disables Windows security controls, dynamically extracts an embedded Python file (svc.py), and creates persistence through Startup folder scripts, Registry Run keys, scheduled tasks, and optional WMI subscriptions. The researchers assess the batch script is distributed using traditional approaches such as phishing. The report notes it is currently not known how widespread distribution attempts are or whether any infections have been successful.
bore[.]pub tunneling service as command-and-control
Once the Python implant runs, it establishes communication with bore[.]pub, described in the report as a Rust-based tunneling service. That connection gives the operator remote control and surveillance capabilities while avoiding the need to host dedicated servers. The report highlights several operational advantages for the attacker: eliminating dedicated infrastructure, blending malicious traffic with legitimate tunnels, and avoiding hardcoded server details inside the payload.
Capabilities observed: surveillance, credential theft, and lateral movement
Securonix lists a broad set of capabilities available to the remote operator after C2 is established. They include reverse shell and system reconnaissance functions, and multiple espionage and exfiltration features:
- Keylogging and clipboard monitoring
- Screenshot capture, webcam access, and ambient audio recording
- Web browser credential harvesting
- SSH key extraction
- Extraction of credentials stored in Google Chrome, Mozilla Firefox, and Windows Credential Manager
- Theft of cloud credentials for Amazon Web Services, Google Cloud, and Microsoft Azure
The researchers characterize the implant as capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments.
Anti-analysis, defense evasion, and persistent watchdog behavior
The report details an extensive set of anti-analysis and evasion techniques built into DEEP#DOOR. These include sandbox, debugger, and virtual machine detection; patching of AMSI and Event Tracing for Windows (ETW); NTDLL unhooking; Microsoft Defender tampering; SmartScreen bypasses; PowerShell logging suppression; command-line wiping; timestamp stomping; and log clearing. The implant also employs multiple persistence mechanisms and a watchdog that monitors and recreates persistence artifacts if they are removed, a behavior the researchers say complicates remediation.
What this means for technologists, affected enterprises, and end users
Technologists and security teams will see DEEP#DOOR as an example of a fileless, script-driven intrusion model that emphasizes native components and interpreted languages like Python, the researchers note. The combination of an embedded payload and use of a public tunneling service changes the detection profile by reducing repeated network calls and hiding C2 in legitimate-looking tunnel traffic.
Affected enterprises and procurement leaders face a remediation challenge: the reported persistence mechanisms and watchdog that re-creates removed artifacts make cleanup more difficult, and the implant's tampering with Windows telemetry and Defender components limits forensic visibility.
End users should be aware that the malware's capabilities include harvesting browser-stored credentials, SSH keys, and cloud-provider credentials — and that, per the report, the scope of distribution or number of successful infections has not been established.
DEEP#DOOR demonstrates a layered approach: an embedded Python implant to minimize external traces, a public tunneling service for flexible C2, extensive reconnaissance and exfiltration features, and multiple defenses against analysis and removal. The one concrete unknown the researchers leave on the table is scale — Securonix reports that it is not currently known how widespread the attacks are or whether infections have succeeded. That unanswered question will determine whether DEEP#DOOR is a contained, narrowly targeted tool or a broader, persistent threat.
Source: The Hacker News report




