Security researchers at Securonix have identified Deep#Door, a sophisticated malware campaign using self-extracting Python scripts and public tunneling services to maintain stealthy, persistent access on compromised Windows systems.

Key Points

• The malware uses a self-referential batch file, install_obf.bat, to extract a hidden Python payload directly into the %LOCALAPPDATA%\SystemServices\ directory.
• Deep#Door disables Windows Defender, suppresses firewall logging, and patches security tools to blind the host system before activation.
• Attackers utilize the legitimate TCP tunneling service bore.pub for command-and-control, making network-based detection and attribution significantly more difficult.
• The malware ensures persistence by simultaneously modifying registry keys, scheduled tasks, and WMI event subscriptions, monitored by a background watchdog thread.
• Advanced evasion techniques include sandbox detection, ntdll unhooking, and timestamp stomping to bypass automated security analysis tools.
• Once active, the implant can capture keystrokes, harvest credentials, access webcams, and potentially overwrite the Master Boot Record for destructive purposes.

Why it Matters

This campaign demonstrates a shift toward fileless, script-driven attacks that leverage native system components and legitimate public infrastructure to evade traditional signature-based detection. Organizations must prioritize behavioral monitoring of system settings and outbound traffic to identify these resilient, multi-stage threats.