New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

The emergence of Python‑driven, fileless RATs marks a shift in adversary tactics, as attackers favor interpreted languages that blend with legitimate system processes. By embedding the malicious script within a seemingly innocuous batch file, DEEP#DOOR sidesteps the need for external payload downloads, reducing its forensic footprint and complicating traditional signature‑based detection. This approach mirrors a broader trend where threat actors exploit native Windows utilities and scripting environments to achieve stealthy persistence and rapid deployment across varied targets.

A distinctive feature of DEEP#DOOR is its reliance on bore.pub, a public Rust‑based tunneling platform, for command‑and‑control. Leveraging a legitimate service eliminates the overhead of maintaining dedicated C2 servers and helps the malicious traffic blend with normal outbound connections, evading network‑based alerts. Once active, the implant conducts extensive reconnaissance, captures keystrokes, screenshots, webcam feeds, and exfiltrates credentials stored in Chrome, Firefox, Windows Credential Manager, and cloud providers such as Amazon Web Services, Google Cloud, and Microsoft Azure. Coupled with sophisticated evasion—AMSI and ETW patching, NTDLL unhooking, and Defender tampering—the malware can remain undetected for extended periods, facilitating espionage and lateral movement.

For defenders, DEEP#DOOR underscores the necessity of behavior‑centric monitoring and zero‑trust principles. Traditional endpoint signatures may miss the embedded Python code, so organizations should prioritize anomaly detection on process creation, network tunneling usage, and unexpected modifications to persistence locations. Hardening AMSI, enforcing strict application control, and monitoring outbound connections to uncommon domains like bore.pub can reduce exposure. As attackers continue to weaponize legitimate services and scripting languages, a layered security strategy that combines endpoint telemetry, network analytics, and rapid incident response becomes essential to mitigate the evolving threat landscape.