{"id":238192,"date":"2026-05-02T05:04:00","date_gmt":"2026-05-02T09:04:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/02\/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows\/"},"modified":"2026-05-02T07:55:12","modified_gmt":"2026-05-02T11:55:12","slug":"new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/02\/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows\/","title":{"rendered":"New Deep#Door RAT uses stealth and persistence to target Windows"},"content":{"rendered":"

New Deep#Door RAT uses stealth and persistence to target Windows<\/a><\/p>\n

https:\/\/securityaffairs.com\/191567\/malware\/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html<\/a><\/p>\n

Publish Date: 2026-05-02 05:04:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

New Deep#Door RAT uses stealth and persistence to target Windows<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ May 02, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

Deep#Door hides a Python RAT inside a batch file, kills Windows defenses, survives via multiple persistence methods, and exfiltrates data through a public TCP tunnel.<\/h2>\n

Security researchers at Securonix uncovered a sophisticated malware campaign called Deep#Door<\/strong>. Threat actors employed a stealthy Python-based backdoor that uses a surprisingly simple delivery method to achieve deep, persistent access on Windows systems. What makes the campaign stand out is not just what it can do, but how cleverly it avoids being caught doing it.<\/p>\n

\u201cUnlike traditional malware loaders that rely on external payload downloads, Deep#Door embeds its Python implant directly inside the dropper script and reconstructs it in-memory and on disk during execution.\u201d reads the report<\/strong> published by Securonix. \u201cThe implant then establishes communication with attacker infrastructure hosted on bore[.]pub, a publicly available TCP tunneling service, enabling stealthy remote access without exposing dedicated C2 servers.\u201d<\/p>\n

The attacK chain starts with a single batch file: install_obf.bat. When executed, this script reads itself, literally parsing its own contents to extract a hidden Python payload embedded directly inside the script. The extracted file, svc.py, is then written quietly to %LOCALAPPDATA%SystemServices, a folder name deliberately chosen to blend in with legitimate Windows components.<\/p>\n

\"\"<\/p>\n

This self-referential technique is a key reason the malware is hard to catch early. There are no suspicious downloads, no external URLs being contacted at the staging phase, and no compiled executables to flag. It\u2019s all happening within a script that looks, at first glance, like a routine maintenance tool.<\/p>\n

Before doing anything else, the loader systematically dismantles the host\u2019s defenses: Windows Defender is disabled,…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

New Deep#Door RAT uses stealth and persistence to target Windows https:\/\/securityaffairs.com\/191567\/malware\/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html Publish Date: 2026-05-02 05:04:00…<\/p>\n","protected":false},"author":1,"featured_media":238193,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/05\/image-4.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32],"class_list":["post-238192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238192"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=238192"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238192\/revisions"}],"predecessor-version":[{"id":238194,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238192\/revisions\/238194"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/238193"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=238192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=238192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=238192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}