HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Stealthy Python RAT “Deep#Door” Embeds in Batch File to Target Windows Systems

Securonix uncovered Deep#Door, a Python‑based RAT that hides inside a batch dropper, disables Windows defenses, and exfiltrates data through a public TCP tunnel. Its multi‑layer persistence and anti‑analysis tricks raise the risk for any organization relying on Windows endpoints, especially third‑party service providers.

LiveThreat™ Intelligence · 📅 May 02, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Stealthy Python RAT “Deep#Door” Embeds in a Batch File to Target Windows Systems

What Happened — Researchers at Securonix identified a new Windows‑focused Remote Access Trojan (RAT) named Deep#Door. The malware hides a Python back‑door inside a self‑parsing batch dropper, disables built‑in defenses, establishes persistence through multiple vectors, and exfiltrates data via a public TCP tunneling service (bore.pub).

Why It Matters for TPRM

  • The delivery method (a benign‑looking batch file) can bypass traditional download‑blocking controls, increasing the risk of compromise in third‑party environments.
  • Deep#Door’s multi‑layer persistence makes remediation costly and may affect the continuity of services provided by vendors.
  • Data exfiltration through a public tunnel evades network‑level detection, exposing sensitive information shared with partners.

Who Is Affected — All industries that rely on Windows endpoints, especially those using third‑party managed services, MSPs, and SaaS providers.

Recommended Actions

  • Review vendor endpoint hardening policies and ensure they block execution of unsigned batch scripts.
  • Verify that anti‑malware solutions are configured to detect in‑memory Python payloads and tampering of Windows Defender/PowerShell logging.
  • Conduct threat‑hunt queries for the known file paths (%LOCALAPPDATA%\SystemServices\svc.py) and persistence artifacts (Startup folder, Run keys, scheduled tasks, WMI subscriptions).

Technical Notes

  • Attack vector: Batch file (install_obf.bat) that self‑extracts a Python payload; likely delivered via phishing or compromised internal scripts.
  • Persistence: Startup folder, registry Run keys, scheduled tasks, WMI event subscriptions, plus a watchdog thread that restores deleted artifacts.
  • Defense evasion: Disables Windows Defender, PowerShell logging, firewall logging; patches AMSI/ETW, unhooks ntdll, timestamp stomping, sandbox detection.
  • C2: Public TCP tunneling service bore.pub, eliminating the need for dedicated command‑and‑control infrastructure.
  • Data exfiltration: Uses the tunnel to stream stolen files and command output.

Source: SecurityAffairs – New Deep#Door RAT uses stealth and persistence to target Windows

📰 Original Source
https://securityaffairs.com/191567/malware/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →