DEEP#DOOR Backdoor Steals Browser & Cloud Credentials

What Happened

Cybersecurity researchers have uncovered a sophisticated Python-based malware framework dubbed DEEP#DOOR — a stealthy backdoor designed to silently establish persistent footholds on Windows systems while harvesting credentials from browsers and cloud platforms. Details were published April 30, 2026, by The Hacker News.

The attack chain begins with a batch script named install_obf.bat — a file that, based on its naming, is likely disguised as a legitimate software installer or deployment tool. Once executed, it immediately disables Windows security controls before dynamically extracting and deploying its Python-based payload. What makes DEEP#DOOR particularly dangerous is its use of a tunneling service to maintain command-and-control (C2) communications, effectively masking malicious traffic inside legitimate-looking network channels. This technique allows attackers to bypass many traditional firewall and network monitoring rules that would otherwise flag unusual outbound connections.

The malware is engineered to harvest a broad range of sensitive data — saved browser credentials (usernames, passwords, session cookies), cloud service tokens, and potentially authentication artifacts used by platforms like AWS, Azure, Google Cloud, and SaaS applications that employees access daily.

Why This Matters for Your Organization

For healthcare practices, tax firms, and small businesses, this threat profile is especially alarming for three reasons.

1. The entry point is deceptively mundane. A batch file named to look like a software installation routine is exactly the kind of file that gets forwarded in an internal email, dropped into a shared drive by a vendor, or bundled with a pirated utility. Employees — including IT staff — can be fooled into running it. If your organization allows unrestricted script execution on endpoints, DEEP#DOOR has a clear path in.

2. Disabling Windows security controls is the first move. This is a red flag that should trigger an immediate alert in any properly configured endpoint detection environment. The fact that this step succeeds on compromised hosts means those hosts either lacked adequate endpoint protection or were running with overly permissive local administrator rights — a common problem in small and mid-size environments where users are given admin access for convenience.

3. Tunneling hides the exfiltration. Traditional perimeter defenses — firewalls, basic DNS filtering — often miss tunneled traffic because it rides on allowed protocols. Once credentials are stolen and exfiltrated through an encrypted tunnel, attackers have everything they need to log into your cloud environment, email platform, or patient/client portals without triggering a password-based alert. In regulated industries, that unauthorized access is a reportable breach event under HIPAA, IRS Publication 4557, and state-level privacy laws.

The Credential Theft Problem Is Compounding

Browser-stored credentials are among the most underestimated risks in small business environments. Employees routinely save passwords for banking portals, payroll systems, EHR platforms, and cloud storage in Chrome, Edge, or Firefox — and many have never been told this creates a local credential store that malware can scrape in seconds. DEEP#DOOR appears purpose-built to do exactly that at scale.

Cloud token theft adds a second layer of exposure. A stolen OAuth token or cloud API key doesn't require a password — it grants direct API access that can persist even after a user changes their password. Attackers with cloud tokens can exfiltrate files, spin up infrastructure for further attacks, or pivot laterally through integrated SaaS platforms before anyone notices.

Practical Steps to Take Now

You don't need enterprise-scale infrastructure to defend against DEEP#DOOR-style attacks. These are the highest-impact actions for practices and small businesses:

• Remove local administrator rights from standard user accounts. This single control would prevent the malware from disabling Windows security features on most endpoints. Standard users cannot modify system-level security settings — attackers who land as a standard user are significantly constrained.
• Block or restrict execution of batch (.bat) and script files via Group Policy or endpoint controls. If your users have no legitimate reason to run batch scripts, block them. Application control policies (Windows Defender Application Control or a third-party EDR) can enforce this without disrupting normal workflows.
• Stop storing passwords in browsers. Migrate staff to a business-grade password manager. Browser credential stores are flat files that any process running as the logged-in user can read. A dedicated password manager with a master password and MFA adds a meaningful barrier.
• Audit cloud API keys and OAuth tokens regularly. Revoke unused tokens, enforce short expiration windows, and review which third-party applications have access to your Google Workspace, Microsoft 365, or AWS environment. Stolen tokens are only useful if they're still valid.
• Deploy an EDR solution with behavioral detection. Signature-based antivirus will not reliably catch obfuscated Python payloads. Behavioral detection — flagging a script that disables Windows Defender, spawns unusual child processes, or establishes tunnel connections — is the right layer for this threat class.
• Train staff on script-based lures. Files named install_something.bat are social engineering vehicles. A five-minute awareness reminder that no internal process requires running a batch file from email or a shared drive can break the attack chain at its origin.

DEEP#DOOR is a reminder that modern credential theft doesn't need to be flashy. A well-crafted script, a tunneling relay, and a browser credential store are all an attacker needs to own your cloud environment. The defenses are well understood — the gap is usually in implementation.