DEEP #Door is a stealthy Python-based backdoor framework identified as targeting Windows systems, capable of long-term surveillance and credential theft. According to Securonix, the malware, dubbed Deep#Door, uses an obfuscated batch script to deploy a persistent implant while bypassing traditional detection methods. Unlike many loaders, it embeds its malicious Python code directly within the dropper script, making it self-contained and reducing network indicators.
The loader disables security features, extracts the embedded payload and establishes persistence through startup folders, registry run keys and scheduled tasks, with optional WMI subscriptions providing an additional stealthy foothold. Once deployed, the backdoor communicates with attacker infrastructure via a public TCP tunnelling service, allowing malicious traffic to blend with legitimate connections.
It supports keylogging, screenshot capture, microphone recording and browser credential harvesting, and can also extract SSH keys and cloud authentication tokens for lateral movement. Extensive anti-analysis features check for virtual machines, debugging tools and sandboxes, patch core Windows telemetry and clear event logs to limit forensic visibility.