SECURITY researchers at Securonix flag a sophisticated campaign called Deep#Door, a Python-based backdoor embedded inside a batch dropper that reconstructs itself in memory and on disk during execution to target Windows systems. The loader reads install_obf.bat, extracts the hidden Python payload into svc[.]py, and quietly writes it to %LOCALAPPDATA%\SystemServices\ to blend in with legitimate components.
Deep#Door disables Windows Defender, turns off PowerShell logging, suppresses firewall logs, and bypasses SmartScreen, then activates a fully featured remote access tool capable of capturing screenshots, recording audio, logging keystrokes, accessing webcams, and harvesting credentials, with the option to overwrite the Master Boot Record or crash the system.
It survives reboots through multiple persistence points—Windows Startup, Run keys, scheduled tasks, and WMI event subscriptions—with a watchdog that recreates any deleted artefacts. For command-and-control, it uses bore[.]pub, a public TCP tunnelling service, to conceal traffic and avoid dedicated attacker infrastructure, making attribution harder and detection more difficult. Deep#Door also checks for virtual environments to avoid analysis and communicates via a covert channel over a dynamically scanned port range.