Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux and Ubiquiti Flaws, Accenture Breach, Android Exploit
July 12, 2026
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Home/Threats/Deep#Door Stealer Harvests Browser Passwords, Cloud Tokens, SSH Keys, Wi-Fi Credentials
Threats

Deep#Door Stealer Harvests Browser Passwords, Cloud Tokens, SSH Keys, Wi-Fi Credentials

Key Takeaways A new Python-based malware, dubbed DEEP#DOOR, has been discovered, designed to operate as a sophisticated credential stealer and remote access tool. The malware infiltrates Windows...

Jennifer sherman
Jennifer sherman
May 1, 2026 4 Min Read
54 0

Key Takeaways

  • A new Python-based malware, dubbed DEEP#DOOR, has been discovered, designed to operate as a sophisticated credential stealer and remote access tool.
  • The malware infiltrates Windows systems via an obfuscated batch script, “finallyJob.bat,” embedding its Python backdoor directly to evade network detection.
  • DEEP#DOOR targets a wide array of sensitive data, including browser passwords, cloud authentication tokens (AWS, Azure, GCP), SSH keys, and Wi-Fi credentials.
  • It employs advanced evasion techniques, such as disabling SmartScreen, patching AMSI and ETW, clearing event logs, and timestamp stomping, to maintain stealth and persistence.
  • Once established, DEEP#DOOR provides full remote command execution, keylogging, webcam/microphone capture, and screen capture capabilities to attackers.

Cybersecurity researchers have uncovered a stealthy new Python-based malware framework named DEEP#DOOR. This potent threat acts as an obfuscated batch loader, deploying a persistent and comprehensive credential-stealing implant on Windows operating systems.

Table Of Content

  • Key Takeaways
  • Infection Chain and Evasion Tactics
  • DEEP#DOOR’s Credential Harvesting Prowess
  • What You Should Do

The malware’s initial compromise typically involves an obfuscated batch script, often named “finallyJob.bat,” which serves as the primary execution vector. Uniquely, DEEP#DOOR incorporates its entire Python backdoor directly within this batch file, rather than relying on external downloads. This self-contained design significantly reduces the likelihood of network-based security solutions detecting the threat during its initial stages.

The infection initiates the moment an unsuspecting user executes what appears to be a benign batch file on a Windows machine. Analysts at Securonix Threat Research were instrumental in identifying and analyzing this sophisticated Python-based backdoor.

Infection Chain and Evasion Tactics

According to the researchers, the infection sequence begins with the execution of the batch script. This script dynamically extracts and runs an embedded Python Remote Access Tool (RAT) payload, typically named “c.py.” Following this, DEEP#DOOR establishes multiple persistence mechanisms, including scripts in the Startup folder, modifications to Registry Run keys, creation of Scheduled Tasks, and, optionally, WMI subscriptions.

Once activated, the malware communicates with attacker-controlled infrastructure through a publicly accessible TCP tunneling service. This enables remote operators to interact with the compromised system via designated ports. The backdoor grants extensive remote command execution and surveillance capabilities, encompassing keylogging, webcam photo capture, microphone recording, screen capture, and, crucially, credential harvesting.

Before deploying its core Python backdoor, DEEP#DOOR proactively thwarts runtime defenses. It disables Windows SmartScreen, patches Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), clears event logs, and employs timestamp stomping to obscure its activities. Further evasion techniques include sandbox detection, unhooking, tampering with Windows Defender, and stripping command-line arguments. This combination of advanced evasion and remote control makes DEEP#DOOR exceptionally difficult to detect once it has embedded itself within a network.

DEEP#DOOR’s Credential Harvesting Prowess

The most devastating aspect of DEEP#DOOR is its robust credential-harvesting engine. It systematically targets a broad spectrum of sensitive information, including passwords stored in web browsers, cloud authentication tokens, critical environment credentials, and SSH access keys. This comprehensive data exfiltration facilitates lateral movement and account compromise across an organization’s entire infrastructure.

Specifically, the stealer leverages dedicated functions like get_chrome_cred() and get_edge_cred() to access browser SQLite databases and extract cached login data. A separate get_ssh_key() function is designed to locate and exfiltrate private SSH keys, which are vital for remote server access. The malware also executes get_cloud_cred() to scan configuration files and environment variables for AWS, Azure, and Google Cloud Platform (GCP) credentials. Additionally, get_wifi_cred() probes the Windows Credential Manager and related registry locations to retrieve saved Wi-Fi passwords.

This multi-vector approach to data collection means that a single successful infection can expose an organization’s entire access surface. Once these credentials fall into the hands of attackers, re-entry into the network becomes trivial, even if the malware is detected and removed from the initial compromised host.

What You Should Do

  • Exercise Caution with Executables: Avoid opening unknown batch files or script attachments, especially those arriving via email or suspicious shared links.
  • Monitor for Anomalous Activity: Implement robust monitoring for unusual PowerShell and cmd.exe activity, particularly when combined with Base64-encoded commands.
  • Audit Persistence Mechanisms: Regularly audit Registry Run keys, Startup folders, and Scheduled Tasks for any unauthorized or suspicious entries.
  • Enable Tamper Protection: Ensure Windows Defender tamper protection is enabled to prevent malware from disabling built-in security features.
  • Rotate Critical Credentials: Following any suspected compromise, promptly rotate cloud authentication tokens and SSH keys.
  • Implement Network Monitoring: Deploy network monitoring solutions to detect suspicious outbound tunneling traffic over non-standard ports.
  • Investigate System Activity: Investigate any processes making unexpected calls to webcams, microphones, or screen capture functionalities.
  • Isolate and Analyze: Immediately isolate affected systems and conduct thorough forensic analysis to identify lateral movement paths and scope of compromise.
  • Focus on Behavioral Analytics: Given DEEP#DOOR’s reliance on Python-based execution and obfuscated scripting, traditional antivirus tools may have limited effectiveness. Prioritize behavioral analytics and anomaly detection as primary defense layers.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

China-Aligned Hackers Use ShadowPad, IOX Proxy, WMIC in Espionage Campaign

Next Post

AI-Powered Ransomware Attacks Surge, Victims Reach 7,831 Globally

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us