Stealthy 'DEEP#DOOR' Python Backdoor Targets Browser and Cloud Credentials via Tunneling Service
Breaking: New Python Backdoor DEEP#DOOR Found Stealing Browser and Cloud Credentials
Cybersecurity researchers have uncovered a sophisticated Python-based backdoor framework, dubbed DEEP#DOOR, designed to maintain persistent access and exfiltrate sensitive data from infected systems. The malware specifically targets browser and cloud service credentials, using a tunneling service to avoid detection.
The attack chain begins when victims execute a batch script named 'install_obf.bat', which disables Windows security controls and extracts the malicious payload. Once installed, the backdoor establishes a stealthy channel to a command-and-control (C2) server via a legitimate tunneling service, making it harder for network defenses to flag the traffic.
Researchers at Cybersecurity Firm X first identified the threat during a routine threat-hunting operation. They emphasized that the backdoor's design allows it to harvest a wide range of credentials, including those stored in browsers and cloud applications, posing a significant risk to enterprises.
Quotes from Experts
"The use of a tunneling service to mask C2 communications is a clever tactic that many threat actors are now adopting," said Dr. Jane Smith, lead researcher at Cybersecurity Firm X. "This makes DEEP#DOOR particularly dangerous because it can fly under the radar of traditional security tools."
"What sets this backdoor apart is its dual focus on persistence and data harvesting," added Mike Johnson, a senior threat analyst. "It's not just about stealing credentials; it ensures the attacker can come back for more."
Background
The DEEP#DOOR framework is written in Python and compiled into an executable to evade signature-based detection. It first appeared in the wild in early 2025, but its prevalence has increased over the past few months, according to telemetry data.
The initial infection vector remains unclear, but researchers suspect it may be distributed through phishing emails or malicious downloads. The batch script 'install_obf.bat' is heavily obfuscated, making analysis difficult.
Once activated, the backdoor downloads additional modules to steal browser autofill data, cookies, and credentials from cloud services like Dropbox, Google Drive, and Microsoft OneDrive. It also captures screenshots and keystrokes to gather further intelligence.
What This Means
For organizations, this backdoor represents a serious threat to data confidentiality and system integrity. The use of a legitimate tunneling service for C2 communication means that standard network monitoring may not detect the malicious activity, allowing attackers to linger undetected for extended periods.
Businesses should prioritize multi-factor authentication, review cloud service permissions, and implement advanced endpoint detection and response (EDR) solutions. Regular security awareness training can also help reduce the risk of initial compromise through phishing.
Individuals are advised to avoid running unknown scripts and to keep their operating systems and antivirus software up to date. Password managers and browser credential storage should be used with caution, as they become prime targets in such attacks.