New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Source: The Hacker News

DEEP#DOOR Backdoor Framework

Cybersecurity researchers have disclosed details of a stealthy Python‑based backdoor framework called DEEP#DOOR that provides capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts.

Intrusion Chain

The intrusion chain begins with the execution of a batch script (install_obf.bat) that disables Windows security controls, dynamically extracts an embedded payload, and then launches the main Python backdoor component.

Capabilities

• Persist on the system by creating scheduled tasks and registry run keys.
• Exfiltrate browser credentials, cookies, and saved passwords from Chrome, Edge, and Firefox.
• Harvest cloud service tokens and API keys (e.g., AWS, Azure, GCP).
• Leverage a tunneling service to route traffic through external servers, bypassing outbound firewall rules.
• Execute arbitrary commands, download additional modules, and perform lateral movement.

Detection Recommendations

The backdoor uses a custom encryption routine to obfuscate its network traffic, making detection by traditional signature‑based tools difficult. Researchers recommend monitoring for:

• Creation of suspicious scheduled tasks.
• Unusual outbound connections to known tunneling domains.
• Presence of the install_obf.bat script in atypical locations.