A new Python backdoor called DEEP#DOOR burrows into Windows machines with ruthless efficiency. It starts simple. An obfuscated batch script named install_obf.bat lands via phishing or drive-by downloads. That script doesn’t fetch payloads from afar—no suspicious network calls to tip off defenders. Instead, it embeds the entire Python implant right inside itself.
Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee dissected the chain in their report. The batch file invokes PowerShell to read its own contents using %~f0. A regex pattern snags the Python code between #PYTHON_START and #PYTHON_END markers. It writes svc.py to %LOCALAPPDATA%\SystemServices\, a folder mimicking legit Windows services. Boom. Payload deployed.
But DEEP#DOOR doesn’t stop at extraction. First move: gut the defenses. PowerShell commands flip Windows Defender switches—Set-MpPreference -DisableRealtimeMonitoring $true. Exclusions added for the drop path and python.exe processes. SmartScreen disabled. Firewall logging killed via netsh advfirewall set allprofiles logging droppedconnections disable. PowerShell transcription? Registry tweaks shut it down. Runtime tricks follow: AMSI patching, ETW disabling, NTDLL unhooking. Microsoft Defender gets tampered with directly. Logs cleared. Timestamps stomped to blend in.
Persistence locks in next. A VBS launcher hits the Startup folder: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemServices.vbs. Registry Run key set under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Scheduled tasks and WMI subscriptions optional. A watchdog thread patrols, rebuilding anything deleted. Relentless.
Anti-analysis kicks in hard. Debugger checks via IsDebuggerPresent and PEB flags. VM fingerprints: registry keys, MAC OUIs, CPUID bits. Sandbox hunts: rare usernames, Wireshark processes, low user activity. EDR hooks scanned in DLLs. If suspicious, it bails.
The real genius? C2 over bore.pub. No dedicated servers to block. This public Rust-based TCP tunneling service—open-source on GitHub—lets attackers punch through NATs without exposing infrastructure. DEEP#DOOR decodes its config: Base64 for bore.pub, XOR for keys like changeme123. It scans ports 41234-41243 with 100 threads. Challenge-response auth uses SHA256. Buffered sockets handle flaky connections. Traffic? Indistinguishable from legit dev tunnels.
Once connected, capabilities explode. Keylogging polls Windows APIs. Clipboard monitored. Screenshots via GDI or PowerShell. Webcam and mic tapped with OpenCV and multimedia APIs. Browsers hit hard: Chrome, Edge SQLite dumps; Firefox profiles; Windows Credential Manager. Cloud creds from AWS, Azure, GCP files and env vars. SSH keys scanned. Wi-Fi passwords. Recon: system info, network scans. Shells: reverse or local. Files up, down. Even destructives—MBR wipe, BSOD, fork bombs.
“The backdoor communicates with attacker infrastructure via bore.pub, a tunneling service that allows external operators to reach internal systems without exposing traditional C2 infrastructure,” the Securonix team wrote in their detailed analysis, first reported by The Hacker News.
IOCs abound. Batch hash: 2c2386ef6416ce821e377223d2a3b79f2b7ea9e8dc9ed2549f4676fe060b7ddd. Python: 84515368e2f8ff4467e38bf48dabb267b5b895f54df5be5ceb5428a414ae15e9 (decoded variant too). VBS: c6f00569913cd6bd1017b26bd33bbb28f1d92b9c9e0f830adcc24af59e181d3e. Paths and bore.pub ports flagged.
And this fits a surge. Python’s ubiquity makes it a go-to for attackers—portable, powerful, overlooked. Take VIPERTUNNEL, tied to DragonForce ransomware. It hijacks Python’s sitecustomize.py for persistence, turns the runtime into a SOCKS5 proxy. Bypasses firewalls, stages data exfil pre-encryption. Or ABCDoor from Silver Fox’s tax phishing. Delivered via RustSL and ValleyRAT, this Cython-compiled Python backdoor uses Socket.IO over HTTPS for screen sharing, file ops, even mouse emulation. Versions evolved from 2024, hitting India and Russia hard, per Kaspersky’s report today.
Python supply-chain hits amplify risks too. Compromised PyPI packages like bittensor-wallet exfil via DNS tunneling and DGA. Litellm drops backdoors polling C2s. Defenders scramble.
Spot it early. Hunt self-referential batch PowerShell with %~f0 and regex extracts. Flag bore.pub in egress traffic—rare for enterprises. Monitor Startup VBS drops launching pythonw.exe. Defender exclusions for LocalAppData services. Python processes with odd args. ETW/AMS I patches in memory. Behavioral blocks on credential dumps, webcam APIs from scripts.
DEEP#DOOR proves script-driven threats thrive on living-off-the-land. Attackers ditch binaries for interpreters. Detection lags. But armed with IOCs and behaviors from Securonix, teams can fight back. Block the tunnels. Patch the gaps. Watch the interpreters.
WebProNews is an iEntry Publication