DEEP#DOOR Python Backdoor Steals Browser, Cloud Credentials
DEEP#DOOR Python backdoor uses tunneling service for C2, disables Windows security via batch script, and harvests browser cookies and cloud tokens from infected hosts.
Executive Summary
Researchers have disclosed a Python-based backdoor framework, tracked as DEEP#DOOR, that establishes persistent access on compromised Windows hosts and systematically harvests browser cookies, saved credentials, and cloud service tokens. The intrusion chain begins with a batch script that disables Windows security controls before deploying the backdoor, which communicates over a legitimate tunneling service to evade network detection. The findings were published by cybersecurity researchers who declined to name the tunneling service used for C2.
Technical Analysis
According to the researchers' report, the initial infection vector is a batch script named install_obf.bat that executes several commands to disable Windows Defender and other security mechanisms. The script then dynamically extracts and runs a Python-based payload that establishes persistence via scheduled tasks or registry run keys, depending on the host configuration.
Once active, DEEP#DOOR connects to a remote server through a commercial tunneling service, which provides a stable, encrypted channel that blends with legitimate traffic. The backdoor enumerates installed browsers — including Chrome, Firefox, Edge, and Brave — and extracts stored passwords, cookies, and autofill data. It also targets cloud service credentials by scanning for configuration files and cached tokens from providers such as AWS, Azure, and Google Cloud.
Data exfiltration occurs over the same tunneled connection, with the backdoor compressing stolen files into archives before transmission. The researchers noted that the malware uses Python's standard libraries for most operations, making it difficult to fingerprint via signature-based detection. The tunneling service acts as a relay, obscuring the true C2 server IP from network monitoring tools.
Mitigations & Recommendations
Defenders should monitor for execution of batch scripts that disable security services, particularly install_obf.bat or similar filenames. Endpoint detection rules should flag anomalous Python interpreter launches from non-standard directories, especially when followed by outbound connections to known tunneling services. Organizations should enforce application whitelisting for scripting engines and restrict PowerShell and cmd.exe execution for non-administrative users. Cloud credential hygiene — including short-lived tokens and hardware-backed key storage — reduces the value of harvested credentials.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
