Malware

DEEP#DOOR: New Python Backdoor Silently Harvests Browser Passwords, Cloud Tokens, SSH Keys, and Wi-Fi Credentials

dark6 2 May 2026
Read Time:3 Minute, 45 Second

Securonix Threat Research has published analysis of a dangerous new Python-based malware framework dubbed DEEP#DOOR, which combines a fully-featured remote access backdoor with an aggressive multi-vector credential-stealing engine. The malware is designed to operate silently within compromised Windows environments, harvesting browser passwords, cloud service tokens, SSH keys, and Wi-Fi credentials — in many cases exposing an entire organization’s access surface from a single infection.

Obfuscated Batch Loader: The Infection Chain

DEEP#DOOR enters target systems through an obfuscated Windows batch script, typically named finallyJob.bat. This file serves as the initial execution trigger and embeds the complete Python backdoor payload directly within itself — rather than downloading it from an external source. This self-contained design significantly reduces the attack surface visible to network-based detection tools, as there is no malicious payload delivery over the wire to flag.

The infection begins the moment a user opens what appears to be a routine batch file. The loader dynamically extracts and executes an embedded Python Remote Access Tool payload (c.py), then establishes a persistence mechanism before the victim has any indication that something is wrong.

Extensive Evasion Before Deployment

Before activating the Python backdoor, DEEP#DOOR systematically dismantles runtime defenses on the compromised system:

  • Disables Windows SmartScreen
  • Patches AMSI (Antimalware Scan Interface) to prevent in-memory script scanning
  • Patches ETW (Event Tracing for Windows) to suppress telemetry collection
  • Clears Windows Event Logs to destroy forensic evidence
  • Applies timestamp stomping to hide malicious file activity
  • Performs sandbox detection to abort execution in analysis environments
  • Unhooks security DLLs and tampers with Windows Defender

This comprehensive pre-execution evasion routine ensures that by the time the actual backdoor is active, the host’s defensive and logging infrastructure has been largely neutralized.

Persistent Remote Access and Surveillance

DEEP#DOOR establishes multiple persistence mechanisms to survive reboots: Startup folder scripts, Registry Run keys, Scheduled Tasks, and optional WMI subscriptions provide overlapping layers of redundancy. The malware then connects to attacker-controlled infrastructure through a publicly available TCP tunneling service, creating a covert command-and-control channel accessible through dedicated ports.

The active backdoor module supports full remote command execution and an extensive surveillance capability set:

  • Real-time keylogging
  • Webcam photo capture
  • Microphone recording
  • Screen capture
  • File system browsing and exfiltration

Multi-Vector Credential Harvesting

The most operationally damaging component of DEEP#DOOR is its broad, systematic credential-harvesting engine. The malware targets several categories of sensitive authentication data simultaneously:

  • Browser passwords: The get_chrome_cred() and get_edge_cred() functions access browser SQLite databases to extract all stored login credentials from Chrome and Edge profiles.
  • SSH private keys: A dedicated get_ssh_key() function scans the filesystem and exfiltrates private SSH keys used for remote server access.
  • Cloud credentials: The get_cloud_cred() function searches configuration files and environment variables for AWS, Azure, and GCP service credentials and access tokens.
  • Wi-Fi passwords: The get_wifi_cred() function queries the Windows Credential Manager and related registry locations to extract all saved wireless network passwords.

This multi-vector collection approach means a single DEEP#DOOR infection can expose an entire organization’s access surface in one sweep. Cloud infrastructure, remote servers, internal networks, and corporate applications may all be accessible to the attacker once initial credential exfiltration completes. Critically, even after detection and removal of the malware, the attacker retains all harvested credentials — re-entry into the environment remains trivial until comprehensive credential rotation is completed.

Detection and Defensive Recommendations

  • Monitor for batch files executing embedded Python payloads — particularly scripts that dynamically write and execute Python code from within a .bat file. This is a strong behavioral indicator of DEEP#DOOR or similar loaders.
  • Alert on AMSI and ETW patching attempts from non-administrative processes. Legitimate software does not disable Windows telemetry components.
  • Audit Scheduled Tasks and Registry Run keys for unfamiliar entries, particularly those pointing to Python executables or temporary file locations.
  • Monitor for outbound TCP tunneling traffic over non-standard ports to unknown infrastructure.
  • Rotate all credentials immediately on any system where DEEP#DOOR is confirmed — browser-stored passwords, SSH keys, cloud tokens, and Wi-Fi credentials should all be treated as compromised.
  • Deploy application allowlisting to prevent unauthorized Python interpreter execution on non-developer endpoints.

DEEP#DOOR represents the continued maturation of Python-based offensive tooling targeting Windows environments. Its combination of deep evasion, persistent access, remote surveillance, and systematic credential collection makes it a particularly dangerous implant for organizations that lack robust behavioral detection capabilities and cloud credential hygiene practices.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su DEEP#DOOR: New Python Backdoor Silently Harvests Browser Passwords, Cloud Tokens, SSH Keys, and Wi-Fi Credentials, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community