New DEEP#DOOR Python backdoor uses tunneling service to steal browser and cloud credentials, evading detection in April 2026.
Cybersecurity researchers have uncovered a stealthy new Python-based backdoor dubbed DEEP#DOOR that uses tunneling technology to evade detection and steal sensitive data from compromised systems.
The malware, detailed on April 30, 2026, is designed to establish persistent access while harvesting a wide range of credentials, including browser logins, SSH keys, and cloud authentication tokens. Securonix researchers who analyzed the threat said the attack chain typically begins with a malicious batch script that disables Windows security protections before deploying the embedded Python payload.
Unlike traditional malware that relies on external downloads, the Python implant is embedded directly within the dropper script. This allows it to be extracted and executed locally, reducing its network footprint and making detection more difficult for defenders.
Once active, the backdoor communicates with attackers through a public tunneling service, enabling command-and-control operations without the need for dedicated infrastructure. This technique helps blend malicious traffic with legitimate connections, further complicating detection efforts.
The malware is capable of extensive surveillance and data theft, including keylogging, screenshot capture, webcam and microphone access, clipboard monitoring, and credential harvesting from browsers and cloud platforms such as AWS, Google Cloud, and Azure.
Researchers also identified multiple persistence and evasion mechanisms, including registry modifications, scheduled tasks, and anti-analysis techniques designed to bypass security tools like Microsoft Defender and avoid sandbox detection.
While current evidence suggests the malware has not yet been deployed in large-scale campaigns, experts warn that its modular design makes it adaptable for broader use by threat actors. The discovery highlights a growing trend toward file-less, script-based malware that leverages legitimate services to remain hidden within enterprise environments.
Related articles :
- 149M Records Exposed in Unsecured Database Breach
- Microsoft Warns of WhatsApp-Delivered Malware Attack
- 270 busted in crackdown targeting multiple networks
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
