New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Summary

Securonix researchers disclosed DEEP#DOOR, a Python-based backdoor framework that establishes persistent access and harvests sensitive data including browser credentials, SSH keys, and cloud provider credentials. The malware is distributed via phishing-delivered batch scripts that disable Windows security controls, extract a Python payload, and use bore.pub (a Rust tunneling service) for command-and-control to execute remote commands, keylogging, webcam access, and extensive surveillance. DEEP#DOOR employs sophisticated anti-analysis and defense evasion techniques including sandbox/VM detection, AMSI patching, Defender tampering, and persistent watchdog mechanisms that auto-recreate persistence artifacts.

Full text

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials Ravie LakshmananApr 30, 2026Cloud Security / Threat Intelligence Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. It's assessed that the batch script is distributed via traditional approaches like phishing. It's currently not known how widespread attacks distributing the malware are, and if any of those infections have been successful. "Based on our current analysis, there is no clear evidence to suggest that this malware framework was widely used in large-scale or highly active campaigns," Gaikwad, senior security research engineer at Securonix, told The Hacker News via email. "Its observed usage appears to be limited and somewhat targeted rather than broadly distributed." "At this stage, we have not identified consistent indicators pointing to specific geographies or industry sectors being systematically targeted. However, given the modular nature of the framework, it is possible that different threat actors could adapt it for varied use cases over time." What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it's extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint. Once launched, the malware establishes communication with "bore[.]pub," a Rust-based tunneling service, allowing the operator to issue commands that facilitate remote command execution and extensive surveillance. This includes - Reverse shell System reconnaissance Keylogging Clipboard monitoring Screenshot capture Webcam access Ambient audio recording Web browser credential harvesting SSH key extraction Credentials stored in Google Chrome, Mozilla Firefox, and Windows Credential Manager Cloud credential theft (Amazon Web Services, Google Cloud, and Microsoft Azure) The use of public TCP tunneling service for command-and-control (C2) offers several advantages in that it eliminates the need for setting up dedicated infrastructure, blends malicious traffic, and avoids embedding details of the server within the payload. In parallel, DEEP#DOOR incorporates a bevy of anti-analysis and defense evasion mechanisms, such as sandbox, debugger, and virtual machine (VM) detection, AMSI and Event Tracing for Windows (ETW) patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass, PowerShell logging suppression, command-line wiping, timestamp stomping, and log clearing, to fly under the radar and complicate incident response efforts. It also employs multiple persistence mechanisms that involve creating Windows Startup folder scripts, Registry Run keys, and scheduled tasks, while also relying on a watchdog mechanism to make sure the persistence artifacts have not been removed, and if so, automatically recreate them, making remediation challenging. "The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments," Securonix said. "The implant prioritizes evading detection and forensic visibility by directly tampering with Windows security and telemetry mechanisms." "DEEP#DOOR highlights the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages like Python. By embedding the payload directly within the dropper and extracting it at runtime, the malware significantly reduces external dependencies and limits traditional detection opportunities." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, Credential Theft, cybersecurity, Malware, Phishing, Remote Access Trojan, Threat Intelligence, windows security Trending News Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

• domain — bore.pub
• malware — DEEP#DOOR
• malware — install_obf.bat
• malware — svc.py

Entities