DeepLoad Malware Leverages ClickFix, AI to Breach Enterprise Networks
Key Takeaways A sophisticated new malware, DeepLoad, is actively compromising enterprise networks, leveraging social engineering and advanced evasion techniques. DeepLoad uses a...
Key Takeaways
- A sophisticated new malware, DeepLoad, is actively compromising enterprise networks, leveraging social engineering and advanced evasion techniques.
- DeepLoad uses a “ClickFix” social engineering tactic, tricking users into executing a PowerShell command that establishes persistent access and credential theft.
- The malware employs AI-generated obfuscation and injects into legitimate Windows processes like LockAppHost.exe to avoid detection.
- It rapidly spreads via USB drives and deploys a credential stealer, filemanager.exe, alongside a malicious browser extension to exfiltrate sensitive data.
- Standard remediation is insufficient due to hidden WMI event subscriptions that can re-infect systems days after initial cleanup efforts.
A newly identified malware strain, dubbed DeepLoad, is currently targeting corporate environments, transforming a seemingly innocuous user action into a persistent conduit for credential theft. This advanced threat is specifically designed to withstand system reboots and circumvent conventional cleanup procedures, according to recent research.
Table Of Content
What distinguishes this campaign is the meticulous construction of each attack stage, engineered to bypass the security controls that many organizations already have in place. Further details of this sophisticated attack chain can be found in a comprehensive research paper.
The ClickFix Deception
DeepLoad initiates its attack through a social engineering tactic known as “ClickFix.” Attackers present employees with a fabricated browser error message, then instruct them to paste a specific PowerShell command into their Windows Run dialog as a “fix.” This seemingly benign action is the critical first step in the compromise.
The single PowerShell command executed by the user establishes a scheduled task, ensuring the loader re-executes with every system reboot. It then leverages mshta.exe, a legitimate Windows utility, to retrieve an obfuscated payload from attacker-controlled infrastructure. The speed of this operation is alarming; the staging domains were observed serving malicious content within just 22 minutes of activation, leaving minimal time for incident response teams to react.
ReliaQuest analysts and researchers uncovered this campaign during investigations into active enterprise compromises. Their findings underscore that the entire attack chain was designed for rapid execution, outpacing manual defensive measures from its inception.
Rapid Proliferation and Credential Theft
DeepLoad prioritizes credential theft, which commences even before the primary infection chain is fully established. The malware demonstrated aggressive lateral movement, spreading to connected USB drives within ten minutes of initial infection. This rapid self-propagation means that the initial compromised host is rarely the only affected system.
The immediate business risk is substantial. DeepLoad deploys a credential stealer named filemanager.exe, deliberately chosen to blend in with legitimate processes. This component operates on its own command-and-control channel, allowing it to exfiltrate data even if the main loader is somehow neutralized.
Further exacerbating the threat, a malicious browser extension captures passwords and session tokens in real-time as users input them, maintaining persistence across browser sessions until manually removed. The malware also writes over 40 disguised installer files to connected USB drives. These include fake shortcuts for popular applications like Chrome, Firefox, and AnyDesk, each designed to trigger a full system infection upon execution on any new machine.
Evasion and Persistence Mechanisms
DeepLoad’s design incorporates multiple layers of evasion, making it challenging for traditional security tools to detect. Its PowerShell loader is heavily padded with thousands of irrelevant variable assignments, creating a verbose script that appears busy without performing any functional work. The actual malicious logic, a concise XOR decryption routine, is located at the script’s end and decrypts shellcode directly into memory, preventing any decoded payload from touching the disk.
ReliaQuest researchers concluded with high confidence that this obfuscation layer was generated by artificial intelligence. This suggests that new variants can be rapidly created and deployed, giving defenders very little time to update their detection capabilities.
Once active, the loader utilizes PowerShell’s Add-Type feature to compile a fresh C# injector on the fly. This generates a randomly named DLL, effectively bypassing signature-based detection mechanisms. The malware then selects a trusted Windows process for injection; in observed cases, it targeted LockAppHost.exe, the Windows lock screen process. Since LockAppHost.exe typically does not initiate outbound network connections, many security tools are not configured to monitor its activity. Through asynchronous procedure call (APC) injection, the loader places shellcode into the target process’s memory and triggers its execution upon resume, again ensuring no decoded payload is written to disk.
Standard cleanup procedures are insufficient to fully eradicate DeepLoad. A hidden WMI event subscription, established during the initial compromise, operates outside typical remediation workflows. This stealthy mechanism allows the host to reinfect itself without any further user interaction. In one documented instance, this subscription activated three days after the compromised host was believed to be clean, silently dropping filemanager.exe back into the user’s Downloads folder.
What You Should Do
- Enable PowerShell Script Block Logging: This crucial step captures decoded runtime commands, effectively cutting through DeepLoad’s obfuscation.
- Audit and Clear WMI Event Subscriptions: Thoroughly audit and explicitly clear all WMI event subscriptions on affected hosts before returning them to production. Any surviving subscription can re-execute the attack days later.
- Rotate Credentials: Immediately rotate all credentials (saved passwords, session tokens, active accounts) that were accessible from a confirmed infected host.
- Audit USB Drives: All USB drives connected to compromised endpoints must be audited and, if necessary, wiped before reuse.
- Remove Unapproved Browser Extensions: Remove any browser extensions not part of approved IT deployment paths from affected systems.
- Shift to Behavioral Monitoring: Transition endpoint monitoring strategies from file-based scanning to behavioral, runtime detection using EDR telemetry and memory scanning capabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.