Bright Nexus

Published on May 1, 2026

Python-Based Backdoor Exploits Tunneling Service to Steal Browser and Cloud Credentials

Severity
Medium

Detail

Cybersecurity researchers have disclosed a stealthy Python-based backdoor framework known as DEEP#DOOR, which is designed to establish persistent access and collect sensitive information from compromised systems.

How?

The intrusion begins with the execution of a malicious batch script (install_obf.bat), which is believed to be distributed through traditional methods such as phishing. Once executed, the script disables Windows security controls, extracts an embedded Python payload (svc.py), and establishes persistence through multiple mechanisms, including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions. Notably, the Python payload is embedded directly within the dropper script and is extracted and executed locally, reducing reliance on external infrastructure and minimizing forensic artifacts.

After successful execution, the malware communicates with the public TCP tunneling service bore[.]pub, enabling remote command execution and allowing attackers to maintain control over the compromised host. The framework supports a wide range of malicious capabilities, including reverse shell access, system reconnaissance, keylogging, clipboard monitoring, screenshot capture, webcam access, ambient audio recording, and credential harvesting. This includes extracting credentials from web browsers such as Chrome and Firefox, Windows Credential Manager, SSH keys, and cloud platforms including AWS, Azure, and Google Cloud.

In parallel, the malware incorporates multiple anti-analysis and defense evasion techniques, such as sandbox and virtual machine detection, AMSI and ETW patching, Microsoft Defender tampering, SmartScreen bypass, PowerShell logging suppression, command-line wiping, timestamp manipulation, and log clearing, all of which are intended to evade detection and complicate incident response.

Impact

The impact of this malware is significant, as it enables persistent access, extensive surveillance, credential theft, and remote command execution within compromised environments. It can support long-term espionage, lateral movement, and post-exploitation activities, while simultaneously reducing forensic visibility by tampering with Windows security and telemetry mechanisms. Additionally, remediation is made more challenging due to the use of multiple persistence techniques and a watchdog mechanism that automatically recreates persistence artifacts if they are removed. Although current observations suggest that its usage is limited and targeted rather than widespread, the modular design of the framework allows for potential adaptation by different threat actors over time.

Conclusion

DEEP#DOOR represents an evolution in modern malware design, emphasizing stealth, persistence, and reduced detectability. By embedding its Python payload directly within the dropper script and executing it at runtime, the framework minimizes reliance on external infrastructure and limits traditional detection opportunities. It leverages legitimate services such as public TCP tunneling to blend malicious activity with normal traffic, while simultaneously employing extensive anti-analysis and defense evasion techniques to avoid security controls and hinder forensic investigation.

Although it is not widely used yet and appears to be targeted, its flexible design means it could be adapted for bigger attacks in the future.

Source

https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html