A dangerous new Python-based threat named DEEP#DOOR has surfaced, and it’s proving that modern malware doesn’t need complex binaries to be lethal. This “Swiss Army Knife” of malware combines a persistent remote access tool (RAT) with a devastatingly effective credential-stealing engine.
Uncovered by the Securonix Threat Research team in late April 2026, DEEP#DOOR is designed for one thing: total system takeover. By embedding itself deep within Windows systems, it quietly harvests everything from your Wi-Fi passwords to your production cloud credentials, often without triggering a single antivirus alert.
The Infection: A “Self-Contained” Script Trap
Most malware downloads its heavy machinery after it lands. DEEP#DOOR takes a different, more stealthy path.
- The Lure: It arrives as a simple, obfuscated batch file, often named
finallyJob.bat. - The Payload: The entire Python backdoor is embedded directly inside the batch file. This “living-off-the-script” approach allows it to bypass network-based detection tools that look for suspicious payload downloads.
- Defense Stripping: Before the backdoor even initializes, it patches AMSI and ETW (Windows’ built-in security eyes), disables SmartScreen, and “stomps” on file timestamps to make its activity look like it happened years ago.
The “Keys to the Kingdom” Stealer
While its surveillance features—like keylogging and webcam hijacking—are invasive, the real danger lies in its credential harvesting engine. DEEP#DOOR doesn’t just look for passwords; it looks for access.
| Targeted Data | Function Used | Impact |
|---|---|---|
| Cloud Tokens | get_cloud_cred() | Steals AWS, Azure, and GCP environment variables and config files. |
| SSH Keys | get_ssh_key() | Exfiltrates private keys, allowing hackers to move into remote servers. |
| Browsers | get_chrome_cred() | Extracts SQLite databases containing stored logins from Chrome and Edge. |
| Wi-Fi | get_wifi_cred() | Scans the Registry and Credential Manager for saved Wi-Fi passwords. |
Export to Sheets
Once these are exfiltrated, removing the malware from the initial computer isn’t enough. The attackers now have the keys to your entire cloud infrastructure and internal servers.
Detection & Defense: Stopping the Backdoor
Because DEEP#DOOR uses Python scripts rather than a traditional .exe, it can be invisible to basic file-scanning tools. Security teams must shift to behavioral monitoring.
- Monitor the Startup Folder: DEEP#DOOR loves to drop scripts in the Windows Startup folder and Registry Run keys to ensure it survives a reboot.
- Audit Outbound Tunneling: The malware uses public TCP tunneling services to communicate. Watch for unusual outbound traffic over non-standard ports.
- Watch for “Script Spawning”: Use EDR tools to alert on
cmd.exeorpowershell.exeactivity involving long, Base64-encoded command lines. - Rotate Immediately: If an infection is suspected, rotate all Cloud Access Keys and SSH Keys immediately. Assume they have already been stolen.
