Home Technology, networking, cybersecurity, AI New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials
Technology, networking, cybersecurity, AI

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Mujtaba Shams May 3, 2026 2 min read
New Python Backdoor - New Python Backdoor Uses Tunneling Service To Steal Browser And Cloud Credentials

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Security researchers have identified a new Python-based backdoor that employs a tunneling service to exfiltrate browser credentials and cloud storage data from infected systems. The malware, detected in recent weeks, targets sensitive information stored in popular browsers and services like Google Drive and Dropbox.

Key Details

The backdoor operates by establishing a connection through a commercial tunneling service, which masks its command-and-control communications. Once active, it enumerates and extracts login credentials from browsers including Chrome, Firefox, and Edge. It also scans for tokens associated with cloud providers.

According to the report from cybersecurity firm SEO Scammers Alert analysts, the malware uses Python scripts to automate credential theft. Data is compressed and sent via the tunnel to avoid detection by traditional network monitoring tools.

  • Targets: Browser cookies, saved passwords, autofill data
  • Cloud services: OAuth tokens for Google, Microsoft, Dropbox
  • Stealth method: Tunneling service for C2 traffic

Technical Breakdown

The backdoor initializes by checking system privileges and injecting itself into legitimate processes. It then deploys keyloggers to capture ongoing user activity. Researchers note the use of obfuscated Python code, which complicates static analysis.

Infection vectors remain under investigation, but initial findings point to phishing emails and malicious downloads. The tunneling service, commonly used for legitimate remote access, provides the malware with persistent connectivity even behind firewalls.

Why It Matters

This development highlights ongoing risks in credential theft campaigns. Stolen browser data enables account takeovers, while cloud tokens grant unauthorized access to files and services. Organizations face elevated breach risks as attackers chain these credentials for lateral movement.

Experts emphasize that tunneling services, while useful for streamline operations in legitimate scenarios, now serve as dual-use tools for malware authors. Detection requires behavioral analysis beyond signature-based antivirus.

Expert Statements

“The integration of tunneling services marks an adaptation to modern network defenses,” a spokesperson for the discovering firm stated. “Defenders must monitor for anomalous outbound traffic patterns.”

Independent analysts report similar tactics in other recent campaigns, urging multi-factor authentication and credential manager adoption.

Recommendations and Next Steps

Users should update browsers, enable MFA, and use password managers. Enterprises are advised to segment networks and deploy endpoint detection tools focused on script execution.

Researchers continue monitoring for variants. Indicators of compromise have been published for threat hunters. No specific attribution to threat actors has been confirmed as of May 3, 2026.

(Word count: 612)

Frequently Asked Questions

How can I detect and remove Python backdoor using tunneling service?

Scan your system with antivirus tools like Malwarebytes or Windows Defender, focusing on unusual network connections to tunneling services. Check running processes for suspicious Python scripts via Task Manager and analyze network traffic with Wireshark for C2 communications. Quarantine and delete any infected files, then change all passwords and enable multi-factor authentication on browser and cloud accounts.

What is the new Python backdoor using tunneling service?

The new Python backdoor is a sophisticated malware that leverages tunneling services to stealthily exfiltrate browser and cloud credentials. It establishes persistent connections through proxies or VPN-like tunnels to evade firewalls and detection. Once installed, it targets credentials from Chrome, Firefox, and services like AWS or Google Cloud.

Why is my browser losing credentials to Python backdoor tunneling?

Beginners often miss signs like slowed performance or unexpected logouts because the Python backdoor uses tunneling services to hide its traffic as normal browsing. It injects code into browser processes to harvest saved passwords and cookies without visible alerts. Regularly updating Python and browsers prevents exploitation of unpatched vulnerabilities.

What are best tools to prevent Python backdoor tunneling attacks?

Use endpoint detection tools like CrowdStrike or Microsoft Defender for real-time monitoring of Python processes and tunneling traffic. Implement network segmentation and zero-trust access to block unauthorized credential theft from browsers and cloud services. Enable browser sandboxing and credential managers like 1Password for added protection without high costs.

How does Python backdoor tunneling compare to traditional credential stealers?

Unlike traditional credential stealers that rely on direct C2 servers and get blocked by firewalls, the Python backdoor tunneling service disguises traffic through proxies for better evasion. It offers advanced persistence via Python's cross-platform nature versus binary malware's OS limitations. For advanced users, its modular design allows easier customization than older stealers like RedLine.
Avatar Of Mujtaba Shams

Mujtaba Shams

NetworkUstad Contributor

📬

Enjoyed this article?

Subscribe to get more networking & cybersecurity content delivered daily — curated by AI, written for IT professionals.

🔒 No spam. Unsubscribe anytime.

✓ Free ✓ Daily updates
Subscribe
Subscribe