DeepLoad Malware Breaches Enterprise Networks via ClickFix & AI

A newly identified malware, named DeepLoad, is actively targeting enterprise environments, transforming a single user action into persistent, credential-stealing access. This advanced threat is engineered to survive system reboots and bypass typical cleanup efforts, as detailed in recent research available <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web

What sets this campaign apart is how every stage of the attack was deliberately built to defeat the security controls that most organizations already depend on.

DeepLoad arrives through ClickFix, where attackers display a fake browser error page and instruct employees to paste a PowerShell command into their Windows Run dialog to “fix” it.

That one command creates a scheduled task that re-executes the loader on every reboot and uses mshta.exe, a legitimate Windows utility, to fetch an obfuscated payload from attacker-controlled infrastructure.

The staging domains were already serving malicious content within 22 minutes of going live, giving response teams very little time to act.

ReliaQuest analysts and researchers identified this campaign while investigating active enterprise compromises. Their findings showed the full attack chain was built to outpace manual response from the very start.

Credential theft begins before the main chain finishes, and the malware spread to USB drives within ten minutes of infection, making the first host unlikely to be the only impacted system.

The immediate business risk is real. DeepLoad drops a credential stealer called filemanager.exe — named to blend into any process list — that runs on its own command-and-control channel and steals data even if the primary loader is blocked.

A malicious browser extension captures passwords and session tokens as users type them, persisting across sessions until removed. The malware also wrote over 40 disguised installer files to connected USB drives, including fake shortcuts for Chrome, Firefox, and AnyDesk, each ready to trigger a full infection on any machine they touch.

Standard cleanup alone is not enough. A hidden WMI event subscription planted during the initial compromise sits outside standard remediation workflows, leaving the host ready to reinfect itself with no user action required.

In one confirmed case, that subscription fired three days after the host appeared clean and silently dropped filemanager.exe back into the user’s Downloads folder.

AI-Powered Evasion and Process Injection

DeepLoad avoids detection at every layer, making it hard to catch with traditional security tools. Its PowerShell loader is padded with thousands of meaningless variable assignments that make the script appear busy without performing any real work.

The actual logic — a short XOR decryption routine — sits at the bottom and decrypts shellcode in memory, so no decoded payload touches disk.

ReliaQuest researchers assessed with high confidence that AI generated this obfuscation layer, meaning new variants can be rebuilt and redeployed quickly before defenders have time to adjust detection coverage.

Once running, the loader uses PowerShell’s Add-Type feature to compile a fresh C# injector on the fly, producing a randomly named DLL that signature-based tools cannot match.

The malware then selects a trusted Windows process to inject into — on investigated hosts, it chose LockAppHost.exe, the Windows lock screen process.

Since the LockAppHost.exe does not typically initiate outbound connections, most security tools are not configured to monitor it.

Through asynchronous procedure call (APC) injection, the loader places shellcode into that process’s memory and triggers execution on resume, leaving no decoded payload on disk.

Security teams should enable PowerShell Script Block Logging, since it captures decoded runtime commands and cuts through obfuscation.

All WMI event subscriptions on affected hosts must be explicitly audited and cleared before any machine returns to production, as a surviving subscription can re-execute the attack days after cleanup.

Every credential reachable from a confirmed infected host — saved passwords, session tokens, and active accounts — must be rotated immediately.

All USB drives connected to affected endpoints should be audited before reuse. Browser extensions outside approved IT deployment paths must be removed from affected systems.

Endpoint monitoring should shift from file-based scanning to behavioral, runtime detection using EDR telemetry and memory scanning.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.