DEEP#DOOR Python backdoor framework
Malware Activity
Summary
Hide ▲
Show ▼
DEEP#DOOR is a newly disclosed Python-based backdoor framework that can keep persistent access to compromised Windows hosts while stealing browser, SSH, and cloud credentials. The malware uses install_obf.bat to disable security controls, extract svc.py, and plant persistence through Startup scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions. It then connects to bore[.]pub for C2, enabling remote command execution, surveillance, and multiple anti-analysis evasion techniques. Researchers say the activity appears limited and somewhat targeted, but the framework is built for long-term post-exploitation use.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
H score16
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityAbout this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
H score69
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
LofyGang Minecraft LofyStealer campaign
Campaign
H score38
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
SilentGlass launch as a monitor-connection protection security device
Security Tool/Service
H score46
First: 22.04.2026 18:00
Last: 22.04.2026 18:00
Sources 1
About this happening:
The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
SilentGlass launch as a monitor-connection protection security device
Security Tool/ServiceAbout this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
Timeline
-
30.04.2026 15:36 2 articles · 2mo ago
Securonix discloses DEEP#DOOR Python backdoor framework
Initial DisclosureSecuronix disclosed DEEP#DOOR, a Python-based backdoor framework for Windows that uses install_obf.bat to disable security controls, extract svc.py, establish persistence through Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions, and connect to bore[.]pub for tunneling-based command-and-control. The framework supports remote command execution, keylogging, clipboard monitoring, screenshot capture, webcam access, ambient audio recording, browser credential theft, SSH key extraction, and cloud credential theft from Amazon Web Services, Google Cloud, and Microsoft Azure, while using anti-analysis and defense-evasion techniques such as sandbox, debugger, and VM detection, AMSI and ETW patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass, PowerShell logging suppression, command-line wiping, timestamp stomping, and log clearing.
Show sources
- New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials — thehackernews.com — 30.04.2026 15:36
- New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials — thehackernews.com — 30.04.2026 15:36