Introduction
Security researchers at Securonix have uncovered a sophisticated campaign involving a new Remote Access Trojan (RAT) dubbed "Deep#Door." This threat is particularly concerning due to its reliance on a simple yet highly effective delivery mechanism: hiding a fully functional Python-based RAT inside a batch file.
Deep#Door is not a standard commodity malware; it employs active defense evasion techniques, specifically targeting and killing Windows security processes to operate undetected. Once established, the malware ensures persistence through multiple mechanisms and exfiltrates data via public TCP tunnels. Defenders must act immediately to identify this obfuscated execution chain and restore the integrity of security controls.
Technical Analysis
Affected Platform: Microsoft Windows (10, 11, and Server variants).
Threat Vector: The campaign relies on social engineering or initial access vectors to deliver a malicious Batch file (.bat or .cmd).
Attack Chain Breakdown:
-
Execution & Obfuscation: The initial payload is a Windows Batch file. Unlike standard scripts that call system binaries, this batch file contains an embedded, often obfuscated, Python script. When executed, the batch file invokes the Python interpreter to run the hidden payload directly in memory or writes it to a temporary location. This "file-less" or "living-off-the-land" approach helps bypass static analysis signatures that typically look for
.exefiles. -
Defense Evasion: Upon execution, Deep#Door immediately attempts to neutralize endpoint protection. The malware identifies active security processes—such as Windows Defender (
MsMpEng.exe) or other EDR agents—and terminates them using native utilities liketaskkill.exeor service manipulation viasc.exe. This "blinding" of the host is a critical indicator of compromise (IoC). -
Persistence: To survive reboots, the RAT establishes persistence. While the specific registry keys or scheduled task names vary by campaign, the methodology typically involves creating run keys or scheduled tasks that invoke the malicious batch file or the Python interpreter directly.
-
Command & Control (C2) & Exfiltration: Deep#Door utilizes public TCP tunneling services (similar to Ngrok or Cloudflare Tunnels) to route traffic. This allows the attacker to hide the true destination C2 server behind legitimate-looking domains and bypass firewall egress rules that might block unknown IP addresses.
Exploitation Status: Confirmed active exploitation in the wild. No CVE is associated as this is a malware campaign abusing legitimate functionality (Python/Batch) rather than a software vulnerability.
Detection & Response
The following detection rules focus on the unique TTPs of Deep#Door: the suspicious relationship between Batch files and Python, and the active termination of security processes.
SIGMA Rules
---
title: Deep#Door RAT - Python Execution via Batch File
id: 9c8f4a12-3b5d-4e8f-9a1b-2c3d4e5f6789
status: experimental
description: Detects the execution of Python scripts initiated by Batch files, a technique used by Deep#Door to hide payloads. Legitimate admin scripts may trigger this, but correlation is required.
references:
- https://securityaffairs.com/191567/malware/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html
author: Security Arsenal
date: 2025/04/09
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
Image|endswith: '\python.exe'
CommandLine|contains:
- '.py'
- '-c '
- 'import '
filter_legitimate_dev:
ParentImage|contains:
- '\Visual Studio'
- '\JetBrains'
- '\PyCharm'
- '\VSCode'
condition: selection and not filter_legitimate_dev
falsepositives:
- Legitimate developer environments running Python scripts from CLI
level: high
---
title: Deep#Door RAT - Windows Defense Process Termination
id: b1e2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects attempts to terminate Windows Defender or other critical security processes, a key behavior of Deep#Door upon establishment.
references:
- https://securityaffairs.com/191567/malware/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html
author: Security Arsenal
date: 2025/04/09
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\taskkill.exe'
- '\taskmgr.exe'
- '\tskill.exe'
selection_cli:
CommandLine|contains:
- 'MsMpEng.exe'
- 'SenseCncProxy.exe'
- 'WinDefend'
- 'SecurityHealthService.exe'
condition: all of selection_*
falsepositives:
- Administrators manually terminating hung security processes (rare)
level: critical
KQL (Microsoft Sentinel / Defender)
This query hunts for the parent-child process relationship indicative of the batch-to-python execution chain, as well as the termination of security services.
// Hunt for Deep#Door execution chain and defense evasion
let SuspiciousPython =
DeviceProcessEvents
| where FileName in~ ("python.exe", "python3.exe")
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (".py", "import", "-c")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256;
let DefenseTampering =
DeviceProcessEvents
| where FileName in~ ("taskkill.exe", "sc.exe")
| where ProcessCommandLine has_any ("MsMpEng", "WinDefend", "SenseCncProxy", "/stop", "/delete")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union SuspiciousPython, DefenseTampering
| order by Timestamp desc
Velociraptor VQL
This VQL artifact hunts for processes where Python is the child of a shell process, and checks for the presence of batch files in common startup folders.
-- Hunt for Deep#Door RAT indicators
SELECT
Pid,
Ppid,
Name,
CommandLine,
Exe,
Username,
StartTime
FROM pslist()
WHERE Name =~ "python"
AND Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ "cmd" OR Name =~ "powershell")
-- Optional: Check for suspicious batch files in startup locations
-- SELECT FullPath, Mtime, Size FROM glob(globs="C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.bat")
Remediation Script (PowerShell)
This script aids in the identification and containment of the threat by checking for the persistence mechanisms and restoring critical services.
<#
.SYNOPSIS
Deep#Door RAT Remediation and Hardening Script
.DESCRIPTION
Checks for Python persistence in Run keys, restores Windows Defender services,
and hunts for suspicious batch files.
#>
Write-Host "[*] Starting Deep#Door RAT Remediation Checklist..." -ForegroundColor Cyan
# 1. Check for Python in Registry Run Keys (Common Persistence)
Write-Host "[+] Checking Registry Run Keys for Python execution..." -ForegroundColor Yellow
$runKeys = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($key in $runKeys) {
if (Test-Path $key) {
Get-ItemProperty $key | Where-Object { $_.PSObject.Properties.Value -match "python" } | ForEach-Object {
Write-Host "[!] Suspicious Python persistence found in $key" -ForegroundColor Red
Write-Host " Value: $($_.PSObject.Properties | Where-Object { $_.Value -match 'python' }).Name"
}
}
}
# 2. Ensure Windows Defender Services are Running
Write-Host "[+] Verifying Windows Defender Services..." -ForegroundColor Yellow
$defenderServices = @("WinDefend", "WdNisSvc", "Sense", "SecurityHealthService")
foreach ($svc in $defenderServices) {
$service = Get-Service -Name $svc -ErrorAction SilentlyContinue
if ($service) {
if ($service.Status -ne "Running") {
Write-Host "[!] Service $svc is stopped. Attempting to start..." -ForegroundColor Red
try {
Start-Service -Name $svc -ErrorAction Stop
Write-Host "[+] Successfully started $svc" -ForegroundColor Green
} catch {
Write-Host "[-] Failed to start $svc. Manual intervention required." -ForegroundColor Red
}
} else {
Write-Host "[+] Service $svc is running." -ForegroundColor Green
}
}
}
# 3. Hunt for recently modified .bat files in user profiles
Write-Host "[+] Scanning for recently modified batch files in user directories..." -ForegroundColor Yellow
$cutOffDate = (Get-Date).AddDays(-7)
Get-ChildItem -Path C:\Users\ -Filter *.bat -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $cutOffDate } |
Select-Object FullName, LastWriteTime, Length
Write-Host "[*] Remediation script completed." -ForegroundColor Cyan
Remediation
- Isolate Affected Hosts: Immediately disconnect any endpoints identified as infected from the network to prevent lateral movement and data exfiltration.
- Terminate Malicious Processes: Kill instances of
python.exethat are parented bycmd.exeorpowershell.exeif the command line arguments appear obfuscated or suspicious. - Remove Persistence Artifacts:
- Inspect and clean the following Registry paths for entries invoking Python or Batch files:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Check Task Scheduler for tasks that trigger
cmd.exeorpython.exewith suspicious arguments.
- Inspect and clean the following Registry paths for entries invoking Python or Batch files:
- Restore Security Controls:
- Ensure Windows Defender or your EDR agent is re-enabled.
- Use the
sc.exe configcommand or Services MMC to reset any service start-up types that were modified by the malware (e.g., setting them back to Automatic).
- Network Blocking: While the specific C2 domains vary, implement firewall rules to block access to known public TCP tunneling providers if they are not business-critical, or inspect SSL/TLS traffic for anomalies associated with these services.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.