DEEP#DOOR: A Stealthy Python Backdoor Targeting Browser and Cloud Credentials

Overview of the DEEP#DOOR Threat

Cybersecurity researchers have uncovered a sophisticated Python-based backdoor framework named DEEP#DOOR. This malicious toolkit is designed to establish long-term access to compromised systems and stealthily harvest a wide range of sensitive data, including browser credentials and cloud platform secrets. What sets DEEP#DOOR apart is its use of a legitimate tunneling service to exfiltrate stolen information, making it harder for traditional security tools to detect.

Attack Chain: From Batch Script to Persistent Backdoor

The infection process begins with a seemingly innocuous batch script, install_obf.bat. Once executed on a Windows machine, this script immediately disables key security controls—such as Windows Defender real-time monitoring and automatic sample submission—to clear the path for the payload. It then dynamically extracts the core Python backdoor from its own code, ensuring no static file exists to flag antivirus engines.

Disabling Security Controls

The script employs Windows Management Instrumentation (WMI) commands to:

• Turn off Windows Defender real-time protection
• Disable cloud-delivered protection
• Pause automatic reporting of potential threats
• Remove Defender's exclusion list (if any was previously set)

This aggressive 'kill switch' approach gives the adversary a window of opportunity to deploy the backdoor without triggering alerts.

Dynamic Extraction of the Payload

Rather than dropping a separate Python script onto disk, install_obf.bat contains the entire backdoor code encoded within it. The script decodes and executes the payload directly in memory, using Python's interpreter which is either already present or downloaded silently. This fileless technique substantially reduces forensic evidence.

Tunneling for Exfiltration: How DEEP#DOOR Avoids Detection

A distinctive feature of DEEP#DOOR is its integration with third-party tunneling services, such as ngrok or similar tools. Instead of opening a direct outbound connection to a remote command-and-control (C2) server—which could be blocked by firewalls or flagged by network monitors—the backdoor encrypts and tunnels stolen data through a public tunnel endpoint. This makes traffic appear as legitimate HTTPS connections to a cloud service, effectively blending in with normal corporate traffic.

The backdoor periodically checks for new commands by polling the tunnel endpoint, allowing the attacker to issue instructions without establishing a persistent reverse shell. This sporadic communication pattern further evades detection by network anomaly systems.

Targeted Data: Browser Credentials and Cloud Secrets

Once DEEP#DOOR achieves persistence (via registry run keys or scheduled tasks), it begins systematic data collection:

• Browser credentials: login data, cookies, saved passwords from Chrome, Edge, Firefox, and other Chromium-based browsers.
• Cloud session tokens: OAuth tokens, AWS keys, Azure service principal secrets, and Google Cloud authentication credentials stored by browser sessions or CLI tools.
• System information: hostname, username, domain, installed security software, network configuration.

The backdoor filters for high-value targets—it specifically looks for keywords like 'aws', 'azure', 'gcp', 'cloud', 'admin', and 'token' in file names and process memory. All collected data is compressed, encrypted, and sent via the tunneling service, ensuring confidentiality even if intercepted.

Mitigation and Recommendations

Organizations can defend against DEEP#DOOR-like threats by adopting a layered security approach:

1. Restrict script execution: Enable PowerShell constrained language mode and block execution of untrusted batch scripts (*.bat) through AppLocker or Windows Defender Application Control.
2. Monitor for tunneling services: Use network detection rules to flag known ngrok domains or generic HTTPS tunnels originating from client workstations.
3. Endpoint detection and response (EDR): Deploy EDR tools that can detect in-memory payload injections and anomalous Python interpreter activity.
4. Least privilege access: Ensure critical cloud management consoles are only accessible from privileged access workstations with additional authentication steps.
5. User awareness: Train users to be cautious about opening unsolicited attachments that trigger PowerShell or batch scripts.

The DEEP#DOOR campaign serves as a stark reminder that modern backdoors increasingly leverage legitimate services to hide in plain sight. Defenders must remain vigilant, combining behavioral analysis with a proactive hunt for fileless, tunneling-based threats.