New Deep#Door RAT uses stealth and persistence to target Windows

Staff Editor 2026-05-02
New Deep#Door RAT uses stealth and persistence to target Windows

New Deep#Door RAT uses stealth and persistence to target Windows

https://securityaffairs.com/191567/malware/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html

Publish Date: 2026-05-02 05:04:00

Source Domain: securityaffairs.com

New Deep#Door RAT uses stealth and persistence to target Windows

Pierluigi Paganini
May 02, 2026

Deep#Door hides a Python RAT inside a batch file, kills Windows defenses, survives via multiple persistence methods, and exfiltrates data through a public TCP tunnel.

Security researchers at Securonix uncovered a sophisticated malware campaign called Deep#Door. Threat actors employed a stealthy Python-based backdoor that uses a surprisingly simple delivery method to achieve deep, persistent access on Windows systems. What makes the campaign stand out is not just what it can do, but how cleverly it avoids being caught doing it.

“Unlike traditional malware loaders that rely on external payload downloads, Deep#Door embeds its Python implant directly inside the dropper script and reconstructs it in-memory and on disk during execution.” reads the report published by Securonix. “The implant then establishes communication with attacker infrastructure hosted on bore[.]pub, a publicly available TCP tunneling service, enabling stealthy remote access without exposing dedicated C2 servers.”

The attacK chain starts with a single batch file: install_obf.bat. When executed, this script reads itself, literally parsing its own contents to extract a hidden Python payload embedded directly inside the script. The extracted file, svc.py, is then written quietly to %LOCALAPPDATA%SystemServices, a folder name deliberately chosen to blend in with legitimate Windows components.

This self-referential technique is a key reason the malware is hard to catch early. There are no suspicious downloads, no external URLs being contacted at the staging phase, and no compiled executables to flag. It’s all happening within a script that looks, at first glance, like a routine maintenance tool.

Before doing anything else, the loader systematically dismantles the host’s defenses: Windows Defender is disabled,…

Source

More Stories

Zevonix Expands Managed IT and Cybersecurity Services

Zevonix Expands Managed IT and Cybersecurity Services

Staff Editor 2026-05-02
The Most Dangerous Enterprise Insider Threat Comes With a Free Trial

The Most Dangerous Enterprise Insider Threat Comes With a Free Trial

Staff Editor 2026-05-02
Trellix Confirms Source Code Breach With Unauthorized Repository Access

Trellix Confirms Source Code Breach With Unauthorized Repository Access

Staff Editor 2026-05-02

Terms and Conditions - Privacy Policy