A newly identified stealthy Python-based backdoor framework provides attackers with persistent remote command execution and surveillance capabilities on Windows computers, according to Securonix. The malware’s infection chain starts with a batch script that disables several security controls, then loads an embedded Python payload and establishes multi-layered persistence.
Deep#Door, the backdoor, is designed to run at user logon, perform environment checks to avoid virtual machines and sandboxes, and enable tasks such as shell commands, file manipulation, system and network reconnaissance, and surveillance including keylogging, clipboard monitoring, screenshots, and access to microphone and webcam. It can also harvest credentials and SSH keys and shift to destructive actions, such as overwriting the Master Boot Record and exhausting system resources.
The malware constructs a range of potential C&C ports and uses public tunneling to blend with legitimate traffic, emphasising its layered defence evasion and in-memory as well as on-disk payload reconstruction, with the authors noting it was likely built for espionage. 1 May 2026.