Shadow in the Startup: The Deep#Door Stealer Campaign That Outsmarts Defenders

It starts with a simple batch file - an innocuous installer dropped onto a Windows laptop. Within moments, it morphs into a silent gatekeeper, burrowing deep into the system, disabling defenses, and unlocking a trove of digital secrets. Meet Deep#Door: the latest stealer campaign exposing browser passwords, cloud tokens, and SSH keys, and making defenders’ jobs harder than ever.

Fast Facts

• Deep#Door uses an obfuscated batch loader to deploy a Python-based implant with no external downloads.
• The malware disables Microsoft Defender, PowerShell logging, and event logs to evade detection.
• It steals credentials from browsers, cloud platforms (AWS, Azure, Google Cloud), and SSH keys.
• Persistence is ensured via multiple system locations and a watchdog that restores deleted components.
• Command-and-control traffic is tunneled through bore[.]pub, mimicking legitimate network services.

Behind the Backdoor: Anatomy of Deep#Door

Unlike typical password stealers, Deep#Door is engineered for endurance and stealth. The infection chain begins with a batch file called install_obf.bat, which extracts a hidden Python script (svc.py) and drops it into a service-like folder. This self-contained setup eliminates telltale download activity, one of the first red flags security teams watch for.

Once inside, Deep#Door sabotages the host’s defenses. It disables Microsoft Defender, tampers with PowerShell and firewall logging, and wipes out monitoring mechanisms like AMSI and ETW. To sidestep analysis, it checks for sandboxes, debuggers, and virtual machines before fully activating.

Persistence is paramount. Deep#Door embeds itself in Startup folders, registry Run keys, scheduled tasks, and even optional WMI subscriptions. A dedicated watchdog ensures that, if any component is deleted, it silently resurrects itself - turning remediation into a game of whack-a-mole.

Once established, the malware’s reach is formidable. It doesn’t just harvest browser passwords - it scoops up SSH private keys, Windows Credential Manager entries, and cloud tokens for major providers. In one fell swoop, both personal and corporate credentials can be siphoned from a single infected device, opening doors to lateral movement, infrastructure compromise, and data breaches.

For command-and-control, Deep#Door leverages bore[.]pub, a tunneling service that makes its traffic blend in with normal network activity. With encoded configs, dynamic ports, and challenge-response authentication, it can evade many traditional detection and blocking strategies. If a connection drops, it simply scans for new ports, staying flexible and hard to disrupt.

Security researchers warn: unexplained batch scripts, suspicious PowerShell changes, and outbound tunnel-like connections are all red flags. Defenders are urged to check persistence locations, examine memory for tampered libraries, and audit for signs of credential theft.

Conclusion

Deep#Door marks a new chapter in credential-stealing malware - one where stealth, resilience, and versatility collide. As attackers blend into the noise of legitimate services and automate their own survival, defenders must adapt quickly. In an era where one compromised laptop can open the gates to entire cloud environments, vigilance is no longer optional - it’s essential.

WIKICROOK

• Batch Loader: A batch loader automates the installation or execution of malware, allowing attackers to deploy threats across many systems with minimal manual effort.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Credential Theft: Credential theft occurs when hackers steal usernames and passwords, often via phishing or data breaches, to illegally access online accounts.
• Tunneling Service: A tunneling service securely exposes local servers to the internet, enabling remote access and testing by bypassing firewalls or network restrictions.