Breaking: New Python Backdoor Targets Credentials via Legitimate Tunneling
Cybersecurity researchers have uncovered a stealthy Python-based backdoor framework, dubbed DEEP#DOOR, that leverages a legitimate tunneling service to siphon browser and cloud credentials from compromised systems. The attack chain begins with a batch script that disables Windows security controls, allowing persistent access.
“This is a significant threat because it abuses trusted infrastructure to evade detection,” said Dr. Elena Voss, lead threat analyst at CyberGuard Labs. “The use of tunneling services makes traffic appear legitimate, complicating forensic analysis.”
The intrusion starts when a user runs install_obf.bat, which dynamically extracts an obfuscated Python payload. Once executed, DEEP#DOOR establishes a connection to a remote command-and-control (C2) server through a popular tunneling service, masking malicious traffic within normal network flows.
Background: How DEEP#DOOR Operates
According to researchers, DEEP#DOOR is a modular framework that can harvest data from web browsers (including saved passwords, cookies, and autofill data) and cloud service credentials (e.g., AWS, Azure, Google Cloud). It collects this data and exfiltrates it via the tunneling service.
The batch script first disables Windows Defender and other security controls using PowerShell commands. Then it drops the Python script, which runs in memory to avoid leaving disk artifacts.
Key Capabilities:
- Credential Theft: Extracts browser login databases and cloud API keys.
- Persistence: Registers as a scheduled task or registry run key.
- Stealth: Uses process injection and encrypted communication.
The tunneling service—believed to be a commercial SOCKS proxy provider—is used to tunnel C2 traffic over HTTPS. “Attackers are increasingly using legitimate services to blend in,” noted senior researcher Mark Chen of SecureNet. “This makes signature-based detection less effective.”
What This Means for Organizations
DEEP#DOOR represents a growing trend of cybercriminals adopting Python-based tools that abuse legitimate infrastructure. For enterprises, this means traditional perimeter defenses may be insufficient.
“Organizations should focus on behavior-based monitoring and endpoint detection that flags unusual access to credential stores,” said Chen. “Additionally, restricting execution of scripts and using application whitelisting can reduce risk.”
The researchers have shared indicators of compromise (IOCs) including SHA-256 hashes of the batch script and C2 domains. They urge security teams to hunt for suspicious scheduled tasks and unexpected outbound connections to tunneling providers.
Immediate Actions:
- Review scheduled tasks for unknown entries, especially those launching
python.exe. - Monitor network traffic for high volumes of data to known proxy services.
- Update endpoint detection rules to flag batch scripts that disable security controls.
While no specific threat actor has been attributed, the sophistication suggests a well-resourced group. “This isn’t a script kiddie tool,” Voss emphasized. “We recommend immediate investigation if any IOCs are found.”
For more details on the technical analysis, refer to the Background section. To learn about defensive strategies, see What This Means.
This is a developing story. Updates will follow as more information becomes available.