Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts.

"The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

It's assessed that the batch script is distributed via traditional approaches like phishing. It's currently not known how widespread attacks distributing the malware are, and if any of those infections have been successful.

"Based on our current analysis, there is no clear evidence to suggest that this malware framework was widely used in large-scale or highly active campaigns," Gaikwad, senior security research engineer at Securonix, told The Hacker News via email. "Its observed usage appears to be limited and somewhat targeted rather than broadly distributed."

"At this stage, we have not identified consistent indicators pointing to specific geographies or industry sectors being systematically targeted. However, given the modular nature of the framework, it is possible that different threat actors could adapt it for varied use cases over time."

What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it's extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint.

Once launched, the malware establishes communication with "bore[.]pub," a Rust-based tunneling service, allowing the operator to issue commands that facilitate remote command execution and extensive surveillance.