### Deep Dive into DEEP#DOOR Researchers at **Securonix** have released details about **DEEP#DOOR**, a stealthy Python backdoor framework with potent capabilities. The attack chain begins with a batch script (`install_obf.bat`) that disables **Windows** security controls and extracts an embedded Python payload (`svc.py`). Persistence is established through various mechanisms, including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions. According to **Securonix** researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, the batch script is likely distributed via phishing. While the extent of the malware's spread remains unclear, current analysis suggests targeted rather than widespread usage. ### Key Features and Functionality A notable aspect of **DEEP#DOOR** is the embedding of the core Python implant directly within the dropper script. This eliminates the need for frequent external infrastructure communication and minimizes the forensic footprint. Upon execution, the malware communicates with `bore[.]pub`, a Rust-based tunneling service, enabling remote command execution and extensive surveillance. Capabilities include: * Reverse shell * System reconnaissance * Keylogging * Clipboard monitoring * Screenshot capture * Webcam access * Ambient audio recording * Web browser credential harvesting * SSH key extraction * Credentials stored in **Google Chrome**, **Mozilla Firefox**, and **Windows Credential Manager** * Cloud credential theft (**Amazon Web Services**, **Google Cloud**, and **Microsoft Azure**)  ### Evasion and Persistence **DEEP#DOOR** utilizes a public TCP tunneling service for command-and-control (C2), blending malicious traffic and avoiding the need for dedicated infrastructure. It also incorporates anti-analysis and defense evasion mechanisms, such as: * Sandbox, debugger, and virtual machine (VM) detection * AMSI and Event Tracing for Windows (ETW) patching * NTDLL unhooking * **Microsoft Defender** tampering * SmartScreen bypass * PowerShell logging suppression * Command-line wiping * Timestamp stomping * Log clearing The malware employs multiple persistence mechanisms, including Windows Startup folder scripts, Registry Run keys, and scheduled tasks, with a watchdog mechanism to ensure persistence artifacts are recreated if removed. ### Implications for Security Professionals **Securonix** emphasizes that **DEEP#DOOR** represents a shift towards fileless, script-driven intrusion frameworks that leverage native system components and interpreted languages like Python. Embedding the payload directly within the dropper reduces external dependencies and limits detection opportunities. Security professionals should be vigilant and implement robust endpoint detection and response (EDR) solutions to identify and mitigate threats like **DEEP#DOOR**. Regularly review and update security policies to address the evolving tactics of threat actors.