DEEP#DOOR Python Backdoor Detection: YARA Rules, Network IOCs, and Credential Theft Defences

DEEP#DOOR is a Python-based backdoor first documented by Securonix Threat Research in April 2026. This detection guide covers the DEEP#DOOR YARA rules, network IOCs, and behavioral indicators your EDR and SIEM need to catch it: the implant is delivered via an obfuscated Windows batch dropper (install_obf.bat), patches AMSI and ETW to blind endpoint tools, and routes all C2 traffic through bore.pub — a legitimate public TCP tunneling service — on ports 41234–41243. The credential-harvesting engine targets Chrome, Edge, Firefox, Windows Credential Manager, SSH private keys, and cloud provider access keys for AWS, Azure, and GCP.

// 01 Dropper Mechanics: install_obf.bat and Self-Referential Payload Extraction

The attack begins with an obfuscated batch script, install_obf.bat (SHA-256: 2c2386ef6416ce821e377223d2a3b79f2b7ea9e8dc9ed2549f4676fe060b7ddd), distributed through phishing. Unlike conventional loaders that pull a second-stage payload from a remote URL, DEEP#DOOR uses what Securonix calls self-referential payload extraction: the Python implant is embedded inside the batch file, delimited by #PYTHON_START and #PYTHON_END markers. The dropper reads its own absolute path via the %~f0 batch variable, passes it to PowerShell with a regex extraction, and writes the Python script to disk — no network request required at the delivery stage.

# Conceptual extraction behaviour (simplified from Securonix analysis)
$self = Get-Content -Raw "%~f0"
[regex]::Match($self, '(?s)#PYTHON_START(.+?)#PYTHON_END').Groups[1].Value `
  | Out-File "$env:LOCALAPPDATASystemServicessvc.py"

This design eliminates a second-stage HTTP request, defeating URL-based detection and proxy inspection. The encoded payload (SHA-256: 84515368e2f8ff4467e38bf48dabb267b5b895f54df5be5ceb5428a414ae15e9) is decoded before execution; the decoded implant carries SHA-256 4e3ae82eed8980bbc396020c197c767ba22483a124a00ee04c264dd394378485. Both files land under %LOCALAPPDATA%SystemServicessvc.py.

// 02 DEEP#DOOR’s Windows Security Control Bypass Sequence

Before establishing persistence or calling home, the dropper and implant execute a layered security-control bypass sequence that maps to multiple sub-techniques under MITRE ATT&CK T1562 – Impair Defenses:

• Microsoft Defender tampering (T1562.001) — Set-MpPreference -DisableRealtimeMonitoring $true and related cmdlets disable real-time scanning before any implant code runs.
• AMSI patching — the _patch_amsi() function rewrites AmsiScanBuffer in memory using VirtualProtect, causing AMSI to classify all subsequent script content as clean regardless of content.
• ETW patching (T1562.006) — _patch_etw() patches EtwEventWrite in ntdll.dll, severing the telemetry pipeline that EDR products and Windows Defender subscribe to for runtime events.
• ntdll unhooking — _unhook_ntdll() maps a fresh copy of ntdll.dll directly from disk and swaps it into the process address space, removing userland hooks injected by EDR agents.
• SmartScreen bypass — the dropper disables Windows SmartScreen validation for the current session before executing any subsequent binaries.
• PowerShell logging suppression — Script Block Logging and Module Logging are disabled via registry writes before any PowerShell command runs.
• Command-line wiping (T1070) — _clear_cmdline() overwrites process command-line arguments in memory, defeating parent/child process telemetry that many EDR products capture.
• Timestamp stomping (T1070.006) — creation and modification timestamps are overwritten to blend with legitimate system files.
• Event log clearing (T1070.001) — _kill_event_log() truncates or clears Windows event logs to reduce forensic evidence.
• Sandbox and VM detection (T1497.001) — the implant checks for hypervisor artifacts, debugger presence, and sandboxing environments and exits cleanly if any are detected.

The AMSI + ETW patching combination is sufficient to silence many behaviour-based detection products. The ntdll unhooking step specifically targets EDR vendors that inject telemetry hooks into the in-process copy of ntdll — a technique documented in the wild and described in depth by the AMSI-ETW-Patch project.

// 03 Persistence: Five Redundant Mechanisms and a Watchdog

DEEP#DOOR establishes persistence through five independent mechanisms and runs a watchdog thread that automatically recreates any removed artifacts. A VBS launcher (SystemServices.vbs, SHA-256: c6f00569913cd6bd1017b26bd33bbb28f1d92b9c9e0f830adcc24af59e181d3e) fires svc.py on each trigger event.

| Mechanism | Path or Key | |———–|————-| | Startup folder | %APPDATA%MicrosoftWindowsStart MenuProgramsStartupSystemServices.vbs | | Registry Run key | HKCUSoftwareMicrosoftWindowsCurrentVersionRunSystemServices | | Scheduled task | User-context task pointing to svc.py | | WMI event subscription (T1546.003) | Optional; deployed on supported targets | | Watchdog thread | Monitors and restores all above artifacts within minutes of removal |

Incident responders attempting partial removal will find the watchdog restores deleted artifacts before forensic collection completes. Remediation must terminate the Python process, remove all five persistence vectors simultaneously, and verify no WMI subscriptions remain (Get-WMIObject __EventFilter / __EventConsumer).

// 04 Tunneling C2 via bore.pub

Rather than exposing dedicated attacker-controlled C2 infrastructure, DEEP#DOOR routes all operator traffic through bore.pub, an open-source Rust TCP tunneling service that functions similarly to ngrok or frp. The implant opens an outbound tunnel on a port selected from the range 41234–41243, authenticated with the static Base64 key Y2hhbmdlbWUxMjM= — which decodes to changeme123.

From the network perimeter’s perspective, all operator traffic appears as outbound TCP to a legitimate, globally-reachable domain. Standard firewall rules blocking attacker IP addresses provide no protection. Effective network detection requires one of:

• DNS filtering — block resolution of bore.pub at the recursive resolver.
• TLS inspection — inspect outbound TLS to identify bore.pub connections that bypass DNS.
• Port range blocking — block outbound TCP 41234–41243 to non-corporate destinations at the perimeter firewall.
• Behavioral analytics — alert on sustained long-lived connections from workstations to bore.pub (T1071.001, T1572).

The use of a public tunneling service for C2 is a growing technique. Similar infrastructure abuse was documented in EtherRAT’s use of Ethereum blockchain for C2 resolution, where legitimate distributed infrastructure was exploited to avoid takedown.

// 05 Credential Harvesting: Browsers, SSH Keys, and Cloud Providers

The credential module exposes named functions that operate independently and can be invoked selectively by the remote operator (T1552.001):

| Function | Target | Data extracted | |———-|——–|—————-| | get_chrome_cred() | Chrome Login Data SQLite | Usernames, encrypted passwords | | get_edge_cred() | Edge Login Data SQLite | Usernames, encrypted passwords | | get_ssh_key() | ~/.ssh/ directory | RSA and EC private keys | | get_cloud_cred() | ~/.aws/, ~/.azure/, ~/.config/gcloud/ | IAM keys, tokens, service account credentials | | get_wifi_cred() | Windows Credential Manager / registry | SSID passwords |

Cloud credential theft carries disproportionate impact in enterprise environments. A single harvested AWS IAM key or Azure service principal with broad permissions gives an attacker direct access to production infrastructure — no further exploitation required. The .azure/ and .config/gcloud/ paths are frequently overlooked by endpoint controls tuned primarily for browser credential theft.

The surveillance engine adds keylogging (T1056.001), clipboard monitoring (T1115), screenshot capture (T1113), webcam access (T1125), and audio recording (T1123) — capabilities that make DEEP#DOOR a full-spectrum espionage tool, not merely an infostealer.

// 06 MITRE ATT&CK Mapping

| Tactic | Technique | T-Number | |——–|———–|———-| | Initial Access | Phishing | T1566 | | Initial Access | User Execution | T1204 | | Execution | Windows Command Shell | T1059.003 | | Execution | PowerShell | T1059.001 | | Execution | Python | T1059.006 | | Persistence | Registry Run Keys / Startup Folder | T1547.001 | | Persistence | Scheduled Task/Job | T1053.005 | | Persistence | WMI Event Subscription | T1546.003 | | Defense Evasion | Disable or Modify Tools | T1562.001 | | Defense Evasion | Disable ETW Logging | T1562.006 | | Defense Evasion | Clear Windows Event Logs | T1070.001 | | Defense Evasion | Timestomp | T1070.006 | | Defense Evasion | Obfuscated Files or Information | T1027 | | Defense Evasion | Deobfuscate/Decode Files | T1140 | | Privilege Escalation | Bypass UAC | T1548.002 | | Discovery | System Information Discovery | T1082 | | Discovery | Process Discovery | T1057 | | Collection | Keylogging | T1056.001 | | Collection | Screen Capture | T1113 | | Collection | Video/Audio Capture | T1125, T1123 | | Collection | Clipboard Data | T1115 | | Credential Access | Credentials in Files | T1552.001 | | Command & Control | Application Layer Protocol | T1071.001 | | Command & Control | Protocol Tunneling | T1572 | | Exfiltration | Exfiltration Over C2 Channel | T1041 |

// 07 DEEP#DOOR Network IOCs and File Indicators

SHA-256 File Hashes

| File | SHA-256 | |——|———| | install_obf.bat (dropper) | 2c2386ef6416ce821e377223d2a3b79f2b7ea9e8dc9ed2549f4676fe060b7ddd | | svc.py (encoded payload) | 84515368e2f8ff4467e38bf48dabb267b5b895f54df5be5ceb5428a414ae15e9 | | svc.py (decoded implant) | 4e3ae82eed8980bbc396020c197c767ba22483a124a00ee04c264dd394378485 | | SystemServices.vbs (launcher) | c6f00569913cd6bd1017b26bd33bbb28f1d92b9c9e0f830adcc24af59e181d3e |

File Paths and Registry Keys

| Type | Indicator | |——|———–| | File | %LOCALAPPDATA%SystemServicessvc.py | | File | %APPDATA%MicrosoftWindowsStart MenuProgramsStartupSystemServices.vbs | | Registry | HKCUSoftwareMicrosoftWindowsCurrentVersionRunSystemServices | | String | Y2hhbmdlbWUxMjM= (bore.pub auth key embedded in dropper) | | String | #PYTHON_START / #PYTHON_END (payload delimiter markers in dropper) |

Network Indicators

| Type | Value | Context | |——|——-|———| | Domain | bore[.]pub | C2 tunneling relay | | Port range | TCP 41234–41243 (outbound) | bore.pub tunnel ports | | Auth artifact | Y2hhbmdlbWUxMjM= in batch file | Static bore.pub auth key |

// 08 Detection Checklist: YARA Rules, EDR Queries, and Network Signatures

YARA Rules

The following rules detect DEEP#DOOR artifacts based on Securonix’s published indicators:

rule DEEPDOOR_Batch_Dropper {
    meta:
        description = "Detects DEEP#DOOR batch dropper install_obf.bat"
        author      = "CiphersSecurity — based on Securonix Threat Research"
        date        = "2026-05-03"
        reference   = "https://www.securonix.com/blog/deepdoor-python-backdoor-and-credential-stealer/"
        hash        = "2c2386ef6416ce821e377223d2a3b79f2b7ea9e8dc9ed2549f4676fe060b7ddd"

    strings:
        $marker1  = "#PYTHON_START" ascii
        $marker2  = "#PYTHON_END" ascii
        $path1    = "SystemServicessvc.py" ascii wide
        $auth     = "Y2hhbmdlbWUxMjM=" ascii
        $fn_amsi  = "_patch_amsi" ascii
        $tunnel   = "bore.pub" ascii

    condition:
        uint16(0) == 0x6540 or // batch file magic
        2 of ($marker1, $marker2, $path1, $auth, $fn_amsi, $tunnel)
}

rule DEEPDOOR_Python_Implant {
    meta:
        description = "Detects decoded DEEP#DOOR Python implant svc.py"
        author      = "CiphersSecurity — based on Securonix Threat Research"
        date        = "2026-05-03"
        hash        = "4e3ae82eed8980bbc396020c197c767ba22483a124a00ee04c264dd394378485"

    strings:
        $fn1 = "get_chrome_cred" ascii
        $fn2 = "get_ssh_key" ascii
        $fn3 = "get_cloud_cred" ascii
        $fn4 = "_patch_amsi" ascii
        $fn5 = "_patch_etw" ascii
        $fn6 = "_unhook_ntdll" ascii
        $fn7 = "_kill_event_log" ascii
        $fn8 = "_clear_cmdline" ascii
        $fn9 = "get_wifi_cred" ascii

    condition:
        4 of them
}

Splunk SPL Queries

Hunt for dropper and payload execution:

index=endpoint sourcetype=WinEventLog:Security
  (CommandLine="*install_obf.bat*"
   OR CommandLine="*SystemServicessvc.py*"
   OR CommandLine="*SystemServices.vbs*")
| table _time, host, user, CommandLine, ParentCommandLine

Hunt for Defender tampering (T1562.001):

index=endpoint sourcetype=WinEventLog:Security
  CommandLine="*Set-MpPreference*" AND CommandLine="*DisableRealtimeMonitoring*"
| table _time, host, user, CommandLine

Hunt for bore.pub tunnel connections:

index=network sourcetype=dns
  query="bore.pub"
| stats count by src_ip, query
| where count > 0

Hunt for SystemServices persistence via Run key:

index=endpoint sourcetype=WinRegistry
  RegistryKeyPath="*CurrentVersionRun*" AND RegistryValue="*SystemServices*"
| table _time, host, user, RegistryKeyPath, RegistryValue, RegistryData

Microsoft Sentinel KQL

// Detect dropper or persistence VBS execution
DeviceProcessEvents
| where ProcessCommandLine has_any ("install_obf.bat", "SystemServicessvc.py", "SystemServices.vbs")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

// Detect bore.pub DNS resolution
DeviceNetworkEvents
| where RemoteUrl contains "bore.pub"
   or RemotePort between (41234 .. 41243)
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

// Detect Defender tampering via PowerShell
DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe"
   and ProcessCommandLine has "Set-MpPreference"
   and ProcessCommandLine has "DisableRealtimeMonitoring"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Endpoint Hunting Commands

Check for DEEP#DOOR artifacts on a suspect Windows host:

# Check for implant file
Test-Path "$env:LOCALAPPDATASystemServicessvc.py"

# Check for startup persistence VBS
Test-Path "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartupSystemServices.vbs"

# Check Run key
Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun" |
  Select-Object SystemServices

# List scheduled tasks pointing to svc.py
Get-ScheduledTask | Where-Object {
  $_.Actions.Execute -like "*svc.py*" -or
  $_.TaskPath -like "*SystemServices*"
} | Select-Object TaskName, TaskPath, State

# Check for WMI event consumer persistence
Get-WMIObject -Namespace rootsubscription -Class __EventConsumer |
  Select-Object Name, CommandLineTemplate, ScriptText

Network Blocking

# Perimeter DNS block
bore.pub

# Perimeter firewall — block outbound TCP on bore.pub port range
DENY TCP any -> any dport 41234:41243

// 09 Conclusion

DEEP#DOOR is a capable, modular Python framework that neutralises most Windows endpoint controls before establishing persistence across five redundant vectors. The bore.pub C2 relay means a single IP blocklist entry provides no protection — defenders must block at the DNS layer or enforce TLS inspection to catch the tunnel traffic. Immediate response priorities: hunt for the four SHA-256 hashes above across your fleet, block bore.pub DNS resolution at the recursive resolver, and deploy the YARA rules to your EDR. When remediating an infected host, terminate the watchdog process before removing persistence artifacts — partial removal will fail.

For credential recovery steps following a Python infostealer compromise, see our Vidar Stealer Detection 2026 post-compromise credential checklist. For coverage of similar public-infrastructure C2 abuse, see EtherRAT’s Ethereum Blockchain C2. Subscribe to our weekly threat digest for detection rules as new DEEP#DOOR variants emerge →