New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials
رد بالك: Backdoor جديد بسميت DEEP#DOOOR كيستهدف Cloud والباسوردات ديال الـ Browser
Alert: New DEEP#DOOR Python Backdoor Targets Cloud and Browser Credentials
For the Moroccan tech community—especially those of us managing cloud environments or local infrastructure—a new threat has emerged that demands our attention. Researchers at Securonix have recently uncovered DEEP#DOOR, a sophisticated Python-based backdoor designed for long-term espionage and credential theft.
TL;DR
DEEP#DOOR is a stealthy malware framework that uses the "bore.pub" tunneling service to bypass traditional network defenses. It begins with a malicious batch script that disables Windows security, extracts an embedded Python payload, and targets sensitive data including AWS, Azure, and Google Cloud credentials. While the campaign appears targeted rather than wide-scale, its modular nature makes it a significant risk for security practitioners.
The Anatomy of the Intrusion: From Batch to Backdoor
According to Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, the attack sequence starts with a batch script named install_obf.bat. This script is likely distributed via phishing, though the exact delivery mechanism remains uncertain.
Once executed, the script performs several critical actions:
- Security Neutralization: It disables Microsoft Defender and bypasses Windows SmartScreen.
- Payload Extraction: It dynamically extracts a Python script named
svc.pythat is embedded directly within the dropper. This "fileless" approach means the malware doesn't need to download the main payload from an external server, making it harder for network monitors to flag the initial activity. - Persistence: The malware ensures it survives a system reboot by using multiple methods:
- Startup folder scripts.
- Registry Run keys (entries that tell Windows to run a program on startup).
- Scheduled tasks.
- Optional WMI (Windows Management Instrumentation) subscriptions, which allow scripts to run in response to system events.
Steering Clear of Detection: Stealth Mechanisms
DEEP#DOOR is built to "fly under the radar." For Moroccan sysadmins and SOC (Security Operations Center) analysts, it is important to understand the sophisticated evasion tactics this malware employs:
- AMSI and ETW Patching: The malware patches the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
- Technical Note: AMSI is a feature that allows antivirus products to inspect script buffers (like PowerShell or Python) at runtime. ETW is a kernel-level tracing facility that logs system events. By "patching" these, the malware effectively blinds local security tools.
- Anti-Analysis: It detects if it is running in a sandbox, a debugger, or a virtual machine (VM), and will cease operation to avoid being analyzed by researchers.
- Infrastructure Camouflage: Instead of connecting to a suspicious, unknown IP address, DEEP#DOOR uses bore.pub, a legitimate Rust-based tunneling service. Using a public service allows malicious Command and Control (C2) traffic to blend in with legitimate traffic, bypassing many firewall rules.
The Objective: Credential Harvesting and Surveillance
Once established, DEEP#DOOR operates as a full-featured Remote Access Trojan (RAT). It doesn't just sit quietly; it actively harvests high-value data:
- Cloud Infrastructure: It specifically targets credentials for Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. For Moroccan startups and enterprises migrating to the cloud, this is the highest risk factor.
- Browsers and OS: It steals saved passwords and cookies from Google Chrome and Mozilla Firefox, as well as secrets stored in the Windows Credential Manager.
- Full Surveillance: The operator can initiate keylogging, clipboard monitoring, take screenshots, access webcams, and even record ambient audio via the microphone.
Current Status and Uncertainties
As of April 2026, researchers indicate that DEEP#DOOR usage appears limited and "somewhat targeted." At this stage, there is no clear evidence suggesting which specific industries or geographic regions (including Morocco) are being systematically targeted. Furthermore, it is currently unknown how many infections have been successful or the exact identity of the threat actor behind the framework.
Defensive Recommendations for Practitioners
To protect your environment against DEEP#DOOR and similar Python-based threats, we recommend the following mitigations:
- Monitor Tunneling Services: Audit your network for unauthorized outbound connections to tunneling services like
bore.pub. - Audit Persistence Mechanisms: Regularly monitor Registry Run keys (
HKCU\Software\Microsoft\Windows\CurrentVersion\Run), the Windows Startup folder, and Scheduled Tasks for unrecognized entries. - Endpoint Visibility: Look for unauthorized patching of AMSI or suppression of PowerShell logging and ETW telemetry.
- WMI Monitoring: Use tools to inspect WMI event subscriptions, which are often overlooked by standard security audits.
- Phishing Awareness: Since the initial entry is a batch script via phishing, ensure that your teams are trained to treat unexpected
.bator.zipfiles with extreme caution.
DEEP#DOOR represents a shift toward modular, script-driven frameworks that leverage native system components to minimize their forensic footprint. Staying vigilant and monitoring for the "living off the land" techniques mentioned above is the best path to resilience.
Source: The Hacker News - New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials
