A stealthy Python-based backdoor framework capable of long-term surveillance and credential theft has been identified targeting Windows systems. According to research from Securonix, the malware, dubbed Deep#Door, uses an obfuscated batch script to deploy a persistent implant while bypassing traditional detection methods. Unlike many loaders that retrieve payloads from external servers, Deep#Door embeds its malicious Python code directly within the dropper script. This self-contained approach reduces network indicators and allows the malware to reconstruct its payload both in memory and on disk during execution. At the core of the attack chain is a heavily obfuscated batch file that disables Windows security features before extracting the embedded Python payload. The script establishes persistence through multiple mechanisms, including startup folder entries, registry run keys and scheduled tasks. Securonix researchers noted that this method reflects a broader shift toward script-driven intrusion techniques. By relying on native tools like PowerShell, attackers can blend malicious activity with legitimate system behavior and avoid static detection. The loader also uses a self-referential parsing technique, reading its own contents to extract the embedded payload. This eliminates the need for additional downloads and mimics fileless execution patterns that are harder to detect through network monitoring. Multiple persistence methods including Windows Management Instrumentation (WMI) subscriptions Security controls such as Windows Defender and logging disabled Once deployed, the backdoor communicates with attacker infrastructure via a public TCP tunneling service. This removes the need for dedicated command-and-control (C2) servers and allows malicious traffic to blend with legitimate connections.