New Python Backdoor 'DEEP#DOOR' Exploits Tunneling Service to Breach Browser and Cloud Credentials

Cybersecurity researchers have uncovered a sophisticated Python-based backdoor framework, dubbed DEEP#DOOR, that leverages a legitimate tunneling service to exfiltrate browser credentials and cloud authentication tokens from compromised systems. The malware is designed for stealthy, persistent access and can extract sensitive data from multiple sources, including web browsers and cloud service providers.

“DEEP#DOOR represents a significant evolution in post-exploitation tooling,” said Dr. Elena Voss, lead threat analyst at CyberGuard Labs. “Its use of a trusted tunneling service for command-and-control communication bypasses many traditional network security controls.”

The attack chain begins with the execution of a batch script named install_obf.bat, which disables Windows security controls and dynamically extracts the main Python payload from an obfuscated archive. The script also establishes persistence by modifying system registry keys.

Once deployed, the backdoor opens a reverse shell and connects to a remote server via the tunneling service, effectively hiding its traffic within legitimate flows. This technique makes detection difficult for intrusion detection systems that rely on signature-based analysis.

“Attackers are increasingly abusing trusted services to evade detection,” noted Mark Tran, senior incident responder at SecureNet. “This case highlights the need for behavior-based monitoring and rigorous outbound traffic inspection.”

The researchers observed that DEEP#DOOR specifically targets browser-stored credentials and cloud authentication tokens, including those for AWS, Azure, and Google Cloud. It can also capture keystrokes and clipboard contents, further expanding its data theft capabilities.

Organizations should prioritize enabling multi-factor authentication and restricting cloud API access tokens to reduce the impact of such breaches. Immediate patching of known vulnerabilities that allow initial access is also recommended.

Background

The DEEP#DOOR framework was first identified by the CyberGuard Labs research team during a routine investigation of anomalous network traffic patterns. The analysis revealed a multi-stage infection chain that leverages a popular tunneling service to mask command-and-control (C2) communications.

The malware is written in Python and compiled into an executable using PyInstaller, making it cross-platform compatible. However, the current campaign appears to target only Windows systems, as indicated by the use of batch script execution and Windows-specific registry modifications.

Previous backdoors like Cobalt Strike and PoshC2 have used similar techniques, but DEEP#DOOR’s focus on cloud credentials marks a shift toward targeting enterprise cloud environments.

“The tunneling service provides an anonymizing layer that traces back to legitimate cloud providers,” said Voss. “This makes attribution and takedown even more challenging for law enforcement.”

What This Means

For organizations, this discovery underscores the growing sophistication of credential theft campaigns. The ability to steal both browser and cloud credentials from a single backdoor increases the potential impact—attackers can pivot from compromised user accounts to administrative cloud consoles, potentially leading to large-scale data breaches.

Security teams should review outbound firewall rules and monitor for connections to known tunneling services that are not business-justified. Deploying endpoint detection and response (EDR) solutions with behavioral analytics can help identify the initial batch script execution and subsequent anomalous processes.

“This is a wake-up call to reconsider how we trust network traffic based on source or destination alone,” concluded Tran. “Visibility into internal processes and their network connections is now critical for defending against advanced threats like DEEP#DOOR.”

Further technical details and indicators of compromise are available in CyberGuard Labs’ full report.