DEEP#DOOR backdoor uses bore.pub tunneling to steal credentials
DEEP#DOOR embeds a Python implant in a batch dropper, disables Windows defenses and uses bore.pub tunneling for C2 to steal browser, SSH and cloud credentials.
Securonix researchers Akshay Gaikwad, Shikha Sangwan and Aaron Beardslee reported DEEP#DOOR, a Python-based backdoor that embeds its core implant inside a batch dropper and disables multiple Windows defenses.
The attack begins with a batch file named ‘install_obf.bat’. The script reconstructs an embedded Python file called ‘svc.py’, turns off Windows security controls and creates persistence using Startup folder scripts, Registry Run keys, scheduled tasks and optional WMI subscriptions. The researchers assess the batch script is likely distributed through phishing; the number of infected systems is unknown.
By embedding the Python implant inside the dropper, operators avoid external downloads and leave fewer artifacts. When executed, the implant connects to bore.pub, a public Rust-based TCP tunneling service, to carry command-and-control traffic.
The tunnel lets the operator open a reverse shell, run system reconnaissance and issue remote commands. The implant can capture keystrokes and clipboard contents, take screenshots, record webcam images and ambient audio, extract browser credentials and SSH keys, and read credentials from Windows Credential Manager. It can also harvest cloud credentials tied to Amazon Web Services, Google Cloud and Microsoft Azure.
The malware includes anti-analysis and defense-evasion techniques. The implant checks for sandboxes, debuggers and virtual machines, patches AMSI and Event Tracing for Windows, unhooks NTDLL, tampers with Microsoft Defender and bypasses SmartScreen. It suppresses PowerShell logging, wipes command-line history, stomps timestamps and clears logs. A watchdog process monitors and recreates removed persistence artifacts.
The Securonix report notes that using a public tunneling service removes the need for dedicated infrastructure, mixes malicious traffic with legitimate tunneled connections and avoids hard-coded server details. The report adds that embedding the payload reduces observable artifacts and complicates detection.
The report states: ‘The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments.’
There is no public attribution for the campaign and no firm data on infection scale. Organizations should review endpoint controls, monitor for unusual tunneling service use and validate persistence artifacts to detect and remediate similar script-based intrusions.
