DEEP#DOOR Python Backdoor Steals Browser and Cloud Credentials

Security researchers at SentinelOne and WithSecure have uncovered a sophisticated Python-based backdoor named DEEP#DOOR that leverages legitimate tunneling services to establish covert command-and-control (C2) channels and exfiltrate sensitive credentials from targeted systems. The malware, which operates as a multi-stage framework, was observed exploiting Cloudflare Tunnels and similar services to mask its communications and avoid detection by traditional network security monitoring tools. DEEP#DOOR demonstrates advanced evasion techniques, including encrypted C2 traffic and dynamic payload delivery mechanisms that allow it to adapt its behavior based on the target environment.

The backdoor's primary objective centers on credential harvesting, specifically targeting browser data such as stored passwords, session cookies, and auto-fill information from Chrome, Firefox, Edge, and Brave browsers. Additionally, DEEP#DOOR is designed to extract cloud service credentials from major platforms including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The malware employs Python libraries such as selenium and browsercookie to automate the extraction process, and it can manipulate cloud SDK configurations to harvest API keys and authentication tokens used by developer tools like AWS CLI and Azure PowerShell modules.

Persistence is achieved through Windows Registry modifications, scheduled tasks, and startup folder manipulation, ensuring the backdoor survives system reboots and user logouts. The framework also includes capabilities for lateral movement, file exfiltration, and executing arbitrary PowerShell commands on compromised hosts. Researchers note that DEEP#DOOR shares code similarities with previously documented Chinese state-sponsored threat actors, suggesting potential attribution to advanced persistent threat (APT) groups operating in the interest of foreign governments. Organizations are advised to monitor for suspicious Python process execution, unusual outbound tunnel connections, and unauthorized access to credential storage files.