🌐 Network

DEEP#DOOR: Python Backdoor Abuses Cloudflare Tunnels to Bypass Network Detection and Exfiltrate Credentials

Securonix researchers have disclosed DEEP#DOOR, a Python-based backdoor framework that routes command-and-control traffic through legitimate Cloudflare Tunnel infrastructure to evade network security controls. The malware establishes persistence via multiple mechanisms, disables Windows security features at installation, and specifically targets browser-stored passwords, session tokens, and cloud provider credentials.

4 min read
#malware#python-backdoor#cloudflare#c2#credential-theft#evasion#windows

Securonix’s threat research team has disclosed a sophisticated Python-based backdoor framework dubbed DEEP#DOOR that routes all command-and-control (C2) traffic through Cloudflare Tunnel infrastructure — legitimate, trusted infrastructure that most enterprise network security controls permit by default. The campaign targets Windows environments, deploying the backdoor via malicious batch scripts that disable security controls before establishing multi-mechanism persistence.

The Cloudflare Tunnel Evasion Technique

Cloudflare Tunnel (formerly Argo Tunnel) allows operators to expose internal services to the internet via Cloudflare’s edge network without opening inbound firewall ports. The tunnelling client (cloudflared) establishes outbound HTTPS connections to Cloudflare’s infrastructure, which proxies traffic from a Cloudflare-assigned hostname back to the operator’s endpoint.

DEEP#DOOR’s operator runs a Cloudflare Tunnel listener that receives the backdoor’s outbound connections from compromised hosts. From the network perspective of the victim’s environment, all C2 traffic appears as standard HTTPS connections to Cloudflare’s authoritative infrastructure (IP ranges 104.16.0.0/12 and 104.21.0.0/17), which is routinely whitelisted or unblocked in enterprise environments to support Cloudflare-hosted web services and CDN traffic.

This technique is not a Cloudflare vulnerability — the platform is being abused as a legitimate relay. Similar abuse of trusted infrastructure (ngrok, Pagoda, and other tunnelling services) has been observed in various malware families, but Cloudflare’s near-universal enterprise whitelisting makes it particularly effective.

Installation and Persistence

DEEP#DOOR arrives as an obfuscated batch script delivered via phishing. Upon execution:

  1. The batch script invokes PowerShell to download a Python runtime and the backdoor components from a Cloudflare-hosted staging URL
  2. Windows Defender real-time monitoring is disabled via Set-MpPreference -DisableRealtimeMonitoring $true
  3. The Windows Firewall is disabled for the public and domain profiles
  4. SmartScreen and Windows Script Host are disabled via registry modifications
  5. Four persistence mechanisms are established concurrently: Startup folder shortcut, HKCU Run registry key, scheduled task (every 5 minutes), and WMI event subscription

The multi-persistence approach is intentional: disabling one mechanism (e.g., removing the startup shortcut) does not prevent reinfection, as the remaining three continue to trigger the backdoor on login and on schedule.

Credential and Data Exfiltration

DEEP#DOOR’s exfiltration module specifically targets:

  • Browser credential stores: Chrome, Edge, Brave, and Firefox stored passwords and session cookies, extracted using the win32crypt and SQLite libraries included in the Python bundle
  • Cloud provider credential files: AWS ~/.aws/credentials, Azure ~/.azure/, GCP ~/.config/gcloud/ application default credentials
  • Environment files: .env files found in common developer directories and web server roots
  • Windows Credential Manager: Any secrets stored in the Windows Credential Manager accessible to the current user context
  • Session token files: OAuth tokens, API keys, and session files in common tool configuration locations

Exfiltrated data is AES-128 encrypted before transmission through the Cloudflare Tunnel, providing an additional layer of obfuscation against data loss prevention tools that inspect outbound content.

Detection Guidance

Standard network-based C2 detection rules are ineffective against DEEP#DOOR’s Cloudflare Tunnel technique since the traffic is indistinguishable from legitimate Cloudflare service usage. Effective detection requires endpoint-based signals:

  • Monitor cloudflared.exe execution from unusual parent processes — specifically batch scripts, PowerShell, or user-space directories. Legitimate Cloudflare Tunnel deployments are typically deployed as a system service, not invoked by user-space scripts.
  • Alert on Set-MpPreference -DisableRealtimeMonitoring — this PowerShell invocation is a near-universal indicator of malicious activity in environments where defenders have not explicitly disabled Defender.
  • Detect scheduled task creation via schtasks combined with short intervals (≤ 5 minutes) pointing to scripts in %APPDATA% or %TEMP%.
  • WMI event subscription creation is a detectable, relatively rare administrative action — any non-administrative process creating a WMI event subscription should be investigated.
  • Monitor access to browser credential stores — reads from the Chrome/Edge Login Data SQLite database by non-browser processes are a reliable credential theft indicator.

Organisations that permit end users to download and run unsigned scripts, or that have not enforced application control policies, are most exposed to the initial access vector. Deploying PowerShell Constrained Language Mode and AppLocker or WDAC policies blocking execution from user-writable directories significantly reduces the installation success rate.

Share this article