Securonix Threat Research has published an analysis of DEEP#DOOR, a stealthy Python-based backdoor framework that abuses the public bore.pub TCP tunneling service as command-and-control infrastructure rather than standing up dedicated C2 servers. The implant chains an aggressively obfuscated Windows batch loader to a Python RAT (svc.py) that disables core security controls, harvests browser-stored credentials, and exposes a broad command set covering surveillance, lateral movement, and destructive cleanup.
The interesting bit isn’t the payload itself — it’s the C2 architecture. By piggybacking on a free, legitimate TCP relay service, the operators avoid the usual indicators: no attacker-owned domains to sinkhole, no static IPs to blacklist, no certificate pinning to fingerprint. Defenders watching egress for “weird outbound connections” will see a connection to bore.pub, which on its own looks like developer-tooling traffic.
Infection chain
DEEP#DOOR ships as a single, heavily obfuscated batch script. Execution does several things in sequence:
- Disables Windows SmartScreen, firewall logging, Microsoft Defender tamper protection, and AMSI scan callbacks before any payload touches disk.
- Extracts an embedded Python interpreter and the
svc.pyRAT directly from the dropper script. - Establishes persistence through three redundant mechanisms: a Startup folder shortcut, an
HKCU\...\Runregistry entry, and a Scheduled Task that re-executes the loader at user logon. - Performs anti-analysis checks for VMs, sandboxes, debuggers, and known forensic tooling artifacts before continuing.
If the environment passes the checks, svc.py opens a tunneled TCP socket to bore.pub and waits for commands. The tunneling endpoint changes per campaign — there is no fixed IP for defenders to block at the perimeter.
Capabilities
Once the implant is online, Securonix observed it supporting:
- Remote shell execution and arbitrary file read/write
- Keylogging and on-demand screenshot capture
- Credential extraction from Chromium-based browsers (saved passwords, cookies, session tokens) including tokens for AWS, Azure, and GCP web consoles cached in the browser keystore
- Persistence repair (re-arms registry keys and scheduled tasks if removed)
- Lateral movement via SMB and WinRM using harvested credentials
- A “burn” command that wipes log files, removes persistence, and clears
svc.pyfrom disk
The cloud credential angle is what makes this relevant outside endpoint-protection circles. A compromised developer workstation that signs in to console.aws.amazon.com over Chrome is now a credential exfiltration source for any IAM session that browser has cached.
Why bore.pub matters
bore.pub is a free, open-source TCP tunneling service often used by developers to expose local dev servers without setting up a public IP. It is, in spirit, similar to ngrok or Cloudflare Tunnel — and we’ve seen the same abuse pattern with both (the prior SERPENTINE#CLOUD campaign used Cloudflare Tunnels for the same purpose).
The defender’s problem: blocking bore.pub outright will break legitimate use, and the tunnel endpoints are ephemeral. Network detection has to focus on the protocol shape of the tunneled session — long-lived TCP connections to public tunneling providers from non-developer endpoints — rather than on a destination IP.
Mitigation
This is not patchable; it’s an OPSEC and detection problem.
- Block tunneling-as-a-service domains at the egress proxy for non-developer user populations.
bore.pub,*.trycloudflare.com,*.ngrok.io,*.serveo.net. Treat connections from those FQDNs as policy violations on workstations that have no business reaching them. - Hunt for AMSI/Defender tamper events. The loader explicitly disables them as its first action. Sysmon Event ID 13/15 changes against
HKLM\SOFTWARE\Microsoft\Windows DefenderandHKLM\SOFTWARE\Microsoft\AMSIare the cleanest signal. - Detect the persistence triad. Joint creation of a Startup folder shortcut, a
Runregistry value, and a Scheduled Task within a short window from a single parent process is high-fidelity for this loader family. - Rotate any cloud credentials cached in the browsers of compromised hosts. Browser keystore extraction means short-lived web console tokens, not just IAM access keys, are in scope.
- For cloud admins: require hardware-bound WebAuthn for console sign-in. Browser-cached session cookies are useless to the attacker if the next refresh requires a security key tap.
Indicators
Securonix’s writeup includes batch script SHA-256s, svc.py hashes, and the bore.pub tunnel registration patterns. Pull those into your EDR and proxy block lists today; the operators rotate them, but the structural patterns (loader → Python → tunnel) hold across samples.
DEEP#DOOR isn’t widely deployed — Securonix characterizes it as targeted rather than mass — but the tradecraft is portable. Expect copycats.
Sources
- Securonix Threat Research: DEEP#DOOR Python Backdoor and Credential Stealer
- The Hacker News: New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials
- SecurityWeek: Sophisticated Deep#Door Backdoor Enables Espionage, Disruption
- Infosecurity Magazine: Deep#Door Python Backdoor Evades Detection on Windows