SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Flux result 6459960a 8b91 4ad1 9ab4 cab1e0e740d2
#
Malware
#
Firewalls
#
Network Infrastructure

DeepLoad malware steals credentials via ClickFix campaign

Wed, 1st Apr 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

ReliaQuest has reported the use of new DeepLoad malware in enterprise environments, delivered through the ClickFix social engineering technique.

Its analysis describes a campaign designed to evade common security controls through fileless execution, process injection and persistence mechanisms that can survive routine clean-up. ReliaQuest assesses with high confidence that artificial intelligence was used to create an obfuscation layer in the PowerShell loader.

According to the report, the attack begins when a user is tricked into pasting and running a malicious command, often after seeing a fake browser prompt or error message. The command retrieves the payload and establishes persistent access by creating a scheduled task that repeatedly re-executes the loader.

From there, the chain uses mshta.exe to contact attacker infrastructure and download an obfuscated PowerShell script. The loader hides its functional code beneath thousands of meaningless variable assignments, making file-based scanning far less effective because the decoded payload never lands on disk.

Credential risk

The immediate business risk comes from DeepLoad's focus on credential theft. The malware captures credentials as users type them rather than relying only on stored password files, and can continue operating even if the initial loader is detected and blocked.

ReliaQuest also found that a separate credential-stealing component, filemanager.exe, could exfiltrate data independently of the main loader. In parallel, the malware installed a malicious browser extension designed to intercept user activity across browsing sessions until it is explicitly removed.

That separation matters for incident response because blocking the main malware chain does not necessarily stop the theft of passwords, session tokens or other active account data. Defenders should treat all credentials reachable from an infected host during the exposure window as compromised, the report said.

Hiding place

DeepLoad injects its payload into LockAppHost.exe, the Windows process associated with the lock screen. ReliaQuest believes this was likely a deliberate choice because the process does not usually generate outbound network traffic and is not commonly scrutinised by security teams.

To support that injection, the loader compiles a fresh DLL in the user's temporary directory using PowerShell's Add-Type feature. Because the file is created dynamically with a randomised name on each run, signature-led detection rules aimed at known files are less likely to work.

The campaign then uses asynchronous procedure call injection to launch a chosen Windows process in a suspended state, write shellcode into its memory and trigger execution when the process resumes. The result is an active payload running inside a trusted process without a decoded file being written to disk.

USB spread

Investigators also observed the malware spreading through connected USB drives. In the incidents reviewed, more than 40 files were written to a drive in a single operation, many disguised as common installers or Windows setup files in an apparent effort to prompt users on other machines to open them.

This means security teams should assume more than one endpoint may be affected when DeepLoad is found. USB propagation was observed directly, although it remains unclear whether that function was built into the malware itself or added by the threat actor during the campaign.

Persistence gap

One of the more notable findings concerns persistence after remediation. Standard endpoint clean-up removed scheduled tasks, temporary files and other visible artefacts, but missed a Windows Management Instrumentation event subscription that allowed the attack chain to restart three days later.

Because WMI subscriptions are stored separately and do not leave a normal file on disk, a machine can appear clean while still being set up for reinfection. In the investigated case, the surviving subscription later dropped filemanager.exe back into the user's Downloads folder.

"DeepLoad captures credentials as users type them (not just from stored files) and can continue operating even if the initial loader is detected and blocked," ReliaQuest said.

ReliaQuest recommends enabling PowerShell Script Block Logging, auditing WMI subscriptions on exposed hosts and rotating all credentials used during the infection window. It also recommends monitoring for unexpected mshta.exe outbound connections, new scheduled tasks and unusual activity involving LockAppHost.exe.

On how the malware was built, ReliaQuest said the volume and consistency of the obfuscation likely point to AI rather than a human author working unaided. "We assess with high confidence that AI was used to build this obfuscation layer," it said.

Related stories
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
BlackBox Hosting partners Everpure for sovereign cloud
Locai Labs deploys AI coding assistant at First Light Fusion
Infosecurity Europe adds AI summit amid cyber defence shift

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack