The Self-Parsing Ghost: Inside Deep#Door’s Stealthy Python Backdoor

Securonix Threat Research has detailed a sophisticated new Python-based backdoor framework dubbed Deep#Door. This high-tech implant exemplifies the growing trend of threat actors adopting script-driven intrusion frameworks over traditional standalone executables to blend malicious activity with normal system behavior.

Deep#Door operates as a fully-featured Remote Access Trojan (RAT), capable of extensive surveillance, credential theft, and long-term espionage while maintaining a minimal forensic footprint.

The intrusion begins with a heavily obfuscated batch script (install_obf.bat). Unlike conventional loaders that download payloads from a remote server, Deep#Door is entirely self-contained.

As the Securonix report explains, “Deep#Door embeds its Python implant directly inside the dropper script and reconstructs it in-memory and on disk during execution”.

This “self-referential parsing” allows the attacker to deliver the entire implant in a single file, significantly reducing the chances of network-based detection. Once triggered, the batch script extracts the Python RAT (svc.py) and hides it in the local AppData directory under a name designed to mimic legitimate Windows services.

To communicate with its masters, the malware avoids traditional command-and-control (C2) servers that are easily flagged and taken down. Instead, it leverages bore[.]pub, a publicly available TCP tunneling service.

This design provides several stealth advantages:

• No Hardcoded IPs: The malware doesn’t need to store a specific IP address that could be blacklisted.
• Legitimate Traffic: Malicious C2 data blends in with legitimate tunneling usage on the bore service.
• Dynamic Discovery: The implant uses an aggressive mass port scanning strategy, launching up to 100 concurrent worker threads to identify an active tunnel.

Once established, Deep#Door grants the operator total control over the victim’s system. Its capabilities are vast and modular:

• Surveillance: Real-time keylogging, clipboard monitoring, screen capture, and remote access to webcams and microphones.
• Credential Theft: Harvesting passwords from Chrome, Edge, and Firefox; extracting SSH keys and cloud tokens (AWS, Azure, GCP).
• Defense Evasion: Disabling Windows Defender, patching AMSI to treat malicious scripts as benign, and clearing system event logs.
• Persistence: Establishing multi-layered access through Startup folders, registry Run keys, scheduled tasks, and self-healing watchdog threads.

The malware even includes destructive post-exploitation features, such as the ability to overwrite the Master Boot Record (MBR) to render the system unbootable or trigger a Blue Screen of Death (BSOD) for anti-forensics.

Securonix researchers warn that Deep#Door represents a significant evolution in threat craft. By relying on interpreted languages like Python and legitimate system components, actors can “deliver flexible implants capable of dynamic capability expansion” with very little visibility to traditional security tools.