DEEP#DOOR: Python backdoor via public tunnel steals browser and cloud credentials

Colleagues, note a Python backdoor, DEEP#DOOR, has been identified.
Brief:
- Infection: a batch dropper extracts an embedded Python implant and establishes persistence.
- C2 via public tunnel (bore.pub): remote shell, keylogger, screenshots, webcam capture, exfiltration of browser and cloud credentials.
- Active defense evasion (AMSI/ETW patches, Defender interference, VM/sandbox checks) and a watchdog for artifact recovery.
Why it matters: fileless components and a public tunnel hinder detection and remediation, increasing compromise risk.
Recommendations: audit Startup entries, Registry Run keys, Scheduled Tasks; rotate credentials; restrict access to public tunnels.
Which measures do you apply in similar incidents?
#cybersecurity #incidentresponse #RAT #cloudsecurity


Latest comments
No comments yet.