DEEP#DOOR Python RAT hides C2 behind bore.pub tunnels, scrapes browser and cloud creds

Securonix has documented DEEP#DOOR, a Python-based backdoor framework delivered through a batch dropper that disables Windows security controls, extracts an embedded Python payload, and entrenches itself via Startup folder scripts, Run keys, scheduled tasks, and optional WMI subscriptions. A watchdog routine rebuilds any persistence artifact that defenders strip out, turning cleanup into a moving target. Initial delivery appears to lean on phishing, and observed activity looks targeted rather than broad — no clear geography or sector pattern yet.

C2 routes through bore.pub, a public Rust-based TCP tunneling service, which removes the need for attacker-controlled infrastructure and lets traffic blend into legitimate tunnel usage. Once connected, operators get a reverse shell plus a wide surveillance toolkit: keylogging, clipboard and screen capture, webcam and microphone access, and credential theft spanning Chrome, Firefox, Windows Credential Manager, SSH keys, and AWS, GCP, and Azure tokens.

Defense evasion is the core selling point. The implant patches AMSI and ETW, unhooks NTDLL, tampers with Defender, bypasses SmartScreen, suppresses PowerShell logging, wipes command lines, stomps timestamps, and clears logs. Embedding the payload inside the dropper and reconstructing it at runtime cuts external network dependencies, while the reliance on Python and native Windows components fits the broader drift toward script-driven, fileless RATs that evade signature-based detection.