What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·5 min read

By Lyrie Threat Intelligence·5/1/2026

The Invisible RAT: DEEP#DOOR Python Backdoor Weaponizes Public Tunneling Services to Steal Cloud Credentials

TL;DR

Securonix researchers have disclosed DEEP#DOOR, a stealthy Python-based remote access trojan (RAT) that embeds its entire payload inside a batch script dropper, uses a public Rust tunneling service (bore.pub) for command-and-control, and systematically pillages browser credentials, SSH keys, and cloud provider credentials (AWS, GCP, Azure) while actively defeating Windows security controls. Distributed via phishing, the malware reduces forensic footprint by extracting and executing its Python implant directly from the dropper with no external payload fetching.

What Happened

Cybersecurity researchers at Securonix published a technical analysis of a novel Python backdoor framework called DEEP#DOOR that demonstrates sophisticated use of legitimate infrastructure and native Windows capabilities to establish long-term persistence while stealing sensitive credentials.

The intrusion chain begins with a batch script (install_obf.bat) distributed via phishing. This script:

1. Disables Windows security controls

2. Dynamically extracts an embedded Python payload (svc.py) directly from its own source

3. Establishes persistence through multiple mechanisms: Startup folder scripts, Registry Run keys, scheduled tasks, and optional WMI subscriptions

4. Launches a watchdog mechanism that automatically recreates persistence artifacts if they're removed

Once the Python RAT is running, it connects to bore.pub—a legitimate Rust-based public tunneling service originally designed for legitimate use—which the attacker has weaponized as a command-and-control (C2) channel. This approach eliminates the need for dedicated infrastructure and blends malicious traffic among legitimate uses of the tunneling service.

The malware then performs extensive surveillance and credential theft:

Credential harvesting: Chrome, Firefox, Windows Credential Manager
Cloud credentials: AWS, Google Cloud Platform, Microsoft Azure credentials stored locally
Remote access: Reverse shell, system reconnaissance, keylogging
Surveillance: Clipboard monitoring, screenshot capture, webcam access, ambient audio recording
Lateral movement support: SSH key extraction

Technical Details

The Embedded Payload Design

What makes DEEP#DOOR noteworthy is its fileless approach: the Python RAT is entirely embedded inside the dropper batch script. At runtime, the malware extracts, reconstructs, and executes the Python code directly in memory. This dramatically reduces forensic footprint—no secondary downloads, no obvious payloads written to disk, and minimal external C2 connections during initial compromise.

Defense Evasion Mechanisms

DEEP#DOOR incorporates comprehensive anti-analysis and defense-evasion capabilities:

Windows Security tampering: Direct AMSI patching, ETW (Event Tracing for Windows) patching, NTDLL unhooking, Microsoft Defender tampering
SmartScreen bypass
PowerShell logging suppression
Command-line wiping
Timestamp stomping and log clearing
Sandbox detection, debugger detection, VM detection

These mechanisms are specifically designed to complicate incident response and evade modern detection tools.

Persistence Watchdog

Unlike most malware that simply sets and forgets persistence artifacts, DEEP#DOOR includes a watchdog mechanism that monitors whether its persistence mechanisms (Startup scripts, Registry keys, scheduled tasks) still exist. If security tools or an administrator remove them, the malware automatically recreates them, making remediation extremely challenging.

Public Tunneling Service as C2

The use of bore.pub (a legitimate, open-source Rust tunneling service) as the C2 channel is operationally clever:

No infrastructure cost — the attacker doesn't need to maintain dedicated servers
Blends with legitimate traffic — security tools and network defenses must distinguish between legitimate tunnel users and malicious ones
Avoids embedding details — no hardcoded C2 IP addresses or domains in the payload
Eliminates DNS/IP-based detections — traditional C2 detection patterns don't apply

Lyrie Assessment

Why Lyrie's Audience Should Care

1. Credential Theft at Scale

This malware specifically targets cloud provider credentials (AWS, GCP, Azure) stored on Windows machines. In a world of autonomous defense and agentic AI, stolen cloud credentials are gold—they enable lateral movement, supply chain compromise, and infrastructure takeover. Lyrie defenders need to assume credentials will be harvested and design identity controls that survive credential compromise.

2. The Tunneling Service Blind Spot

Public tunneling services (bore, ngrok, etc.) are often legitimate and trusted by security tools. DEEP#DOOR's weaponization of bore.pub highlights how attackers will exploit infrastructure that defenders assume is safe. This is a whitelisting problem: services that appear legitimate become attack channels.

3. Embedded Payload = Reduced Forensic Window

The fileess architecture and embedded Python extraction reduce the forensic footprint window. By the time a CISO detects DEEP#DOOR, the damage (credential harvesting, SSH key extraction) is likely already done. The 16-24 hour infection window before discovery is a Lyrie problem—autonomous detection and response need to operate in that pre-detection dwell-time space.

4. Autonomous Remediation Challenges

The watchdog persistence mechanism means automated remediation (deleting Startup scripts, clearing Registry keys) won't work. Attackers will simply recreate what you remove. This requires intelligent, agent-aware remediation that either (a) kills the process entirely before cleaning, or (b) implements kernel-level protections that the malware can't circumvent.

5. No CVE, No Patch Window

This is malware, not a vulnerability in commercial software. There's no patch cycle to lean on. Defenders must detect behavioral patterns—excessive credential access, suspicious tunneling service communications, AMSI patching attempts—at runtime.

Threat Alignment

Attack surface: Windows systems with internet access (ubiquitous)
Initial access: Phishing (human factor still dominates)
Dwell time: Unknown (estimated 16-48 hours typical for this class)
Exfiltration: Cloud credentials enable supply-chain or lateral pivot
Autonomous implications: Once cloud credentials are stolen, attackers can deploy automated lateral movement or infrastructure manipulation

Recommended Actions

1. Credential scanning: Implement Cloud Identity Access Management (IAM) scanning for API key or credential theft indicators. Look for unusual API calls from unexpected source IPs.

2. Tunneling service egress controls: Monitor for outbound traffic to public tunneling services (bore.pub, ngrok, etc.). Whitelist legitimate uses or block entirely if not required.

3. AMSI/ETW detection: Implement kernel-level protections or memory-scanning EDR that can detect AMSI patching attempts, ETW disabling, or NTDLL unhooking.

4. Privileged credential isolation: Store cloud provider credentials in separate, isolated vaults (not in browser password managers or Windows Credential Manager).

5. Behavioral detection: Monitor for batch script execution with embedded Python, Startup folder modifications, and Registry Run key creation in the same time window.

6. Incident response preparedness: Assume credentials are compromised during phishing campaigns. Have credential rotation and cloud API key revocation procedures ready within 1-hour windows.