CYBERSECURITY researchers have detailed a stealthy Python-based backdoor framework named DEEP#DOOR that promises persistent access and the harvesting of a wide range of sensitive information from compromised hosts, disclosed in a report published on 30 April 2026.
The intrusion chain begins with a batch script that disables Windows security controls, extracts an embedded Python payload from a dropper, and establishes persistence through Startup folder scripts, Registry Run keys, scheduled tasks, and optional WMI subscriptions, according to Securonix.
Once active, the implant communicates with bore[.]pub, a Rust-based tunneling service, enabling the operator to issue commands for remote control, including reverse shell, system reconnaissance, keylogging, clipboard monitoring, screenshot capture, webcam access and ambient audio recording, as well as credential theft from Google Chrome, Mozilla Firefox and Windows Credential Manager, and cloud credentials from AWS, Google Cloud and Azure.
The BE is designed to evade detection with anti-analysis and defence-evasion techniques such as sandbox/VM detection, Defender tampering, and timestamp stomping, and relies on a watchdog mechanism to recreate persistence artefacts if removed, making remediation difficult. The use of a public TCP tunneling service for C2 helps conceal activity by blending with normal traffic and avoiding embedded server details in the payload.