DEEP#DOOR Python Backdoor Exploits Ngrok

The attackers didn’t write their own C2 infrastructure. They just used ngrok.

Key Takeaways

• DEEP#DOOR is a Python-based backdoor first identified on April 30, 2026, that relies on publicly available tunneling services instead of custom command-and-control servers.
• The malware executes via a batch script (install_obf.bat) that disables Windows Defender and extracts a packed Python payload.
• It targets browser credentials, session cookies, and cloud SDK tokens from AWS, GCP, and Azure.
• Instead of building covert infrastructure, the attackers abuse ngrok, a legitimate tool for developers, to relay stolen data.
• The use of Python and off-the-shelf tools lowers the barrier to entry—meaning we could see copycats within weeks.

No C2? Just Use ngrok

Most backdoors spend serious engineering effort hiding command-and-control (C2) communications. Not DEEP#DOOR. It sidesteps the whole problem by embedding a preconfigured ngrok tunneling client inside its payload.

Ngrok lets developers expose local servers to the internet via a public URL. It’s trusted, widely used, and—critically—encrypted by default. Attackers know that blocking ngrok outright breaks developer workflows. So they exploit that trust.

Once DEEP#DOOR runs, it launches a local server on the victim machine, binds it to the malware’s backend, then starts an ngrok process that punches out to the internet. The attacker simply waits at the other end of the tunnel.

This isn’t novel in theory—malware using ngrok has been documented before. But DEEP#DOOR integrates it as a core architectural component, not a fallback. That’s the shift. It’s not hiding. It’s blending in.

The Infection Chain Starts With a Script

The initial vector is a file named install_obf.bat. It looks like a developer setup script—exactly the kind of thing you’d run after cloning a repo. But the first thing it does is neuter Windows security.

• Disables Windows Defender real-time monitoring with Set-MpPreference -DisableRealtimeMonitoring $true
• Turns off AMSI (Anti-Malware Scan Interface) by patching memory at runtime
• Deletes PowerShell command history
• Downloads a second-stage payload encoded inside a PNG file disguised as a README image

Nothing here is zero-day. But the sequence is effective. And it’s automated. One double-click, and the system is wide open.

Why Python? Because It Works

Python is everywhere in dev environments. It’s pre-installed on most Linux systems, easy to bundle on Windows, and rarely monitored as closely as, say, PowerShell or.NET binaries.

DEEP#DOOR uses PyInstaller to package its code into a standalone executable. That means no need to drop a Python interpreter. The malware carries everything it needs.

But here’s the kicker: the code itself isn’t obfuscated heavily. It’s not packed with VMProtect or similar tools. Instead, it relies on confusion—misleading variable names, junk comments, and string splitting. Basic stuff. Yet it’s enough to slip past many signature-based scanners.

What It Steals—and How

DEEP#DOOR isn’t built for espionage. It’s built for access. Specifically, credentials that let attackers move laterally into cloud environments.

It starts with browsers. The backdoor scans for Chrome, Edge, and Firefox profiles. It extracts login data (encrypted passwords), cookies, and local storage. Then it decrypts them using the Windows Data Protection API (DPAPI), which it accesses via a small C++ stub compiled into the payload.

From there, it hunts for cloud CLI credentials:

• AWS: Looks for ~/.aws/credentials and ~/.aws/config
• GCP: Targets ~/.config/gcloud/credentials.db and access_tokens.db
• Azure: Scrapes ~/.azure/accessTokens.json and azureProfile.json

It also checks for active SSH keys, Docker configs, and environment variables containing secrets. All of it gets zipped, encrypted with a hardcoded AES key, and pushed through the ngrok tunnel.

Persistence Without the Drama

Some malware goes full Hollywood—kernel drivers, registry hacks, WMI events. DEEP#DOOR keeps it simple: it adds a single entry to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

It names the entry “PyUpdater” and points to a copy of itself in AppData\Local\Temp. Not clever. Not hidden. But effective. Reboot the machine, and the backdoor restarts. No fanfare.

And because it’s a Python executable, it doesn’t trigger many behavioral alerts. It doesn’t spawn suspicious children. It doesn’t inject into other processes. It just runs, connects, listens, and waits.

Why This Changes the Threat Model

Most organizations assume that legitimate tools like ngrok are safe. Developers use them daily. Security teams white-list them. Firewalls allow outbound connections. That trust is now a liability.

DEEP#DOOR proves that attackers don’t need sophisticated infrastructure to pull off credential theft at scale. They just need access to the same tools as developers.

This blurs the line between dev tools and attack vectors. It’s no longer enough to monitor for unknown domains or IP addresses. You now have to inspect traffic to known-good services—even if they’re encrypted.

And because ngrok sessions are ephemeral, traditional IP blacklisting fails. The tunnel might only live for 12 hours. By the time you detect it, it’s gone.

What’s more concerning? The malware doesn’t require admin rights. It runs under user context. Which means it can bypass many endpoint protections that assume non-admin users are low-risk.

How Other Malware Families Are Following Suit

DEEP#DOOR isn’t alone. Researchers at Palo Alto Networks observed a similar trend in Q2 2025 with a trojan dubbed “TunnelSnake,” which used Cloudflare Tunnel to communicate with attackers. That malware targeted fintech developers in Eastern Europe, exfiltrating API keys used in payment gateways. It relied on the same logic: abuse trusted infrastructure to avoid detection.

Microsoft’s Threat Intelligence Center flagged a cluster of activity in March 2026 tied to a group using LocalTunnel for C2 in attacks against GitHub Actions runners. The attackers injected malicious workflows that installed tunneling clients, then relayed logs and secrets back through dynamically generated URLs.

Even older malware families are adapting. Emotet, after its 2025 resurgence, began testing ngrok-based fallback C2 channels in test environments. While not yet deployed at scale, the configuration files show hardcoded ngrok auth tokens and tunnel parameters, suggesting a shift toward dependency on commercial tunneling platforms.

The pattern is clear: if a tool is allowed by corporate firewalls, widely adopted, and encrypted by default, it’s being weaponized. Tunneling services are no longer just enablers—they’re becoming part of the attack surface.

The Bigger Picture: Developer Tools as Attack Vectors

This isn’t just about one backdoor or one tunneling service. It’s about a systemic mismatch between how security teams classify risk and how modern development actually works.

DevOps pipelines increasingly rely on tools that open reverse tunnels, expose local ports, or run untrusted containers. GitHub Codespaces, Gitpod, and JetBrains Fleet all create environments where local network boundaries dissolve. These platforms often allow outbound HTTPS by default—and with good reason. But that same access is exactly what malware like DEEP#DOOR exploits.

Companies like HashiCorp and DataDog have reported internal incidents where developers accidentally committed ngrok authtokens to public repos. In at least two cases, those tokens were used within hours to create active tunnels into corporate subnets, even without direct malware involvement. The risk isn’t hypothetical—it’s operational.

The bigger problem? Visibility. Most EDR agents don’t deeply inspect traffic to domains like ngrok.io or trycloudflare.com. They see TLS, recognize a known service, and move on. But encrypted traffic isn’t safe traffic. And when a Python process spawns a tunneling binary with no user interaction, that’s a red flag—not a false positive.

This shift demands a reevaluation of trust assumptions. Just because a tool is used by developers doesn’t mean it should be exempt from scrutiny. Secure development isn’t just about code quality. It’s about understanding how the tools themselves can become conduits for compromise.

What This Means For You

If you’re a developer, stop treating local tools as neutral. Ngrok, LocalTunnel, Cloudflare Tunnel—these aren’t just conveniences. They’re potential exfiltration routes. Never run untrusted scripts, even if they claim to “set up dependencies.” Check what they do before you execute.

If you’re in security, update your detection rules. Look for processes spawning ngrok or similar tools without user interaction. Monitor for Python executables making outbound HTTPS connections to tunneling domains. And start logging DNS requests for *.ngrok.io, *.loca.lt, and *.trycloudflare.com. That traffic shouldn’t be routine.

There’s a deeper irony here: developers built ngrok to solve a real problem—quick, secure tunneling. Now attackers use it to bypass the very security measures meant to protect those developers. That’s not just clever. It’s poetic in the worst way.

Sources: The Hacker News, original report