Ethical Hacking News
Deep#Door is a newly discovered Python-based backdoor that has been found to use stealthy persistence mechanisms to target Windows systems. The malware campaign uses an unconventional approach to command-and-control communications, using a legitimate public TCP tunneling service called bore.pub. This makes it harder to detect and attribute malicious activity, highlighting the need for security researchers to focus on behavioral signals.
Deep#Door is a newly discovered Python-based backdoor that uses stealthy persistence mechanisms to target Windows systems. The malware embeds the payload into a batch file and reads itself to extract a hidden Python payload, which contains a fully featured remote access tool. The malware includes advanced anti-analysis and defense evasion mechanisms to evade detection and analysis. Deep#Door employs an unconventional approach to command-and-control (C2) communications using a legitimate public TCP tunneling service called bore.pub. The malware scans dynamic ports to find an active tunnel and authenticates using a challenge-response mechanism, making it difficult to detect. The malware includes destructive capabilities such as overwriting the Master Boot Record or forcing a system crash. Securonix recommends focusing detection efforts on behavioral signals rather than file signatures due to the evolving threat landscape.
Deep#Door is a newly discovered Python-based backdoor that has been found to use stealthy persistence mechanisms to target Windows systems. The malware campaign, which was uncovered by security researchers at Securonix, employs a sophisticated delivery method that involves embedding the payload directly into a batch file, known as install_obf.bat. This technique allows the malware to avoid detection and evade traditional security measures.
Once executed, the batch file reads itself and extracts a hidden Python payload, which is then written quietly to a designated folder on the system. The extracted file, svc.py, contains a fully featured remote access tool that allows attackers to execute shell commands, capture screenshots, record audio, log keystrokes, access the webcam, harvest stored passwords from browsers, steal SSH keys and cloud credentials, and scan internal networks.
The malware also includes advanced anti-analysis and defense evasion mechanisms, such as sandbox detection, AMSI and ETW patching, ntdll unhooking, Windows Defender tampering, command-line wiping, timestamp stomping, and log clearing. These measures make it difficult for security researchers to detect and analyze the malware, even in a controlled environment.
Furthermore, Deep#Door employs an unconventional approach to command-and-control (C2) communications, using a legitimate public TCP tunneling service called bore.pub. This allows attackers to expose internal services to the internet without opening firewall ports, eliminating the need for dedicated attacker-controlled servers. The use of this public service also makes it harder to attribute the malicious activity and detect network-based attacks.
The malware scans a dynamic range of ports to find an active tunnel and authenticates using a challenge-response mechanism. Once established, it establishes a covert channel that looks like ordinary tunneling traffic, making it difficult for security researchers to distinguish between legitimate and malicious traffic.
In addition to its stealthy persistence mechanisms and unconventional C2 communications, Deep#Door also includes several destructive capabilities, such as overwriting the Master Boot Record or forcing a system crash. These capabilities suggest that the malware could shift from espionage to sabotage if needed.
Securonix recommends focusing detection efforts on behavioral signals rather than file signatures, highlighting the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages like Python.
The use of public tunneling infrastructure (bore.pub) further eliminates the need for dedicated attacker-controlled servers, enabling covert and resilient command-and-control communications that blend with legitimate traffic patterns.
In conclusion, Deep#Door is a sophisticated malware campaign that uses stealthy persistence mechanisms, unconventional C2 communications, and destructive capabilities to target Windows systems. Its use of public tunneling infrastructure makes it harder to detect and attribute malicious activity, highlighting the need for security researchers to focus on behavioral signals and adapt their detection strategies accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/New-DeepDoor-RAT-Uses-Stealthy-Persistence-to-Target-Windows-Systems-ehn.shtml
https://securityaffairs.com/191567/malware/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html
Published: Sat May 2 04:54:53 2026 by llama3.2 3B Q4_K_M
