Ethical Hacking News
DeepLoad is a malware campaign that leverages ClickFix social engineering tactics and Windows Management Instrumentation (WMI) persistence to steal browser credentials. The malware has been found to employ AI-driven obfuscation, APC injection, and WMI persistence to evade detection and spread quickly across infected machines. This latest threat highlights the need for security professionals to stay vigilant and adapt their detection tools and techniques to keep pace with emerging threats.
DeepLoad malware campaign exploits vulnerabilities in Windows operating systems to deliver a previously undocumented malware loader that can bypass traditional security controls. The malware leverages the ClickFix social engineering tactic and Windows Management Instrumentation (WMI) persistence to compromise browser credentials. The threat actors use AI-driven obfuscation to develop an obfuscated PowerShell loader, making it challenging for traditional detection methods to identify and flag the malware as malicious. DeepLoad employs APC injection to run the main payload inside a trusted Windows process without writing decoded payload written to disk after launching the target process in a suspended state. The malware drops a malicious browser extension that intercepts credentials as they are being entered on login pages and persists across user sessions unless it's explicitly removed. DeepLoad automatically detects when removable media devices like USB drives are connected and copies the malware-laced files using names like \"ChromeSetup.lnk\" to trigger the infection once it's doubled-clicked. The malware uses WMI persistence, which allows it to reinfect a 'clean' host three days later with no user action and no attacker interaction.
The threat landscape continues to evolve, with new malware campaigns emerging that utilize sophisticated tactics to evade detection and steal sensitive information from unsuspecting victims. In this latest development, the malicious software known as DeepLoad has been identified as a particularly insidious threat that leverages the ClickFix social engineering tactic and Windows Management Instrumentation (WMI) persistence to compromise browser credentials.
According to recent findings by ReliaQuest researchers, Thassanai McCabe and Andrew Currie, the DeepLoad malware campaign is designed to exploit vulnerabilities in Windows operating systems to deliver a previously undocumented malware loader that can bypass traditional security controls. The malware's primary goal is to extract sensitive information from infected users' browsers, including passwords and session data.
The attack chain begins with a ClickFix lure that tricked users into running PowerShell commands by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent issue. This, in turn, uses "mshta.exe," a legitimate Windows utility to download and run an obfuscated PowerShell loader. The loader, for its part, conceals its actual functionality among meaningless variable assignments, likely in an attempt to deceive security tools.
The DeepLoad malware has been found to employ artificial intelligence (AI) tools to develop the obfuscation layer, making it challenging for traditional detection methods to identify and flag the malware as malicious. The threat actors have also utilized a sophisticated technique called APC injection to run the main payload inside a trusted Windows process without writing decoded payload written to disk after launching the target process in a suspended state, writing shellcode into its memory, and then resuming the execution of the process.
Furthermore, DeepLoad has been observed to drop a malicious browser extension that intercepts credentials as they are being entered on login pages and persists across user sessions unless it's explicitly removed. Additionally, the malware is designed to automatically detect when removable media devices like USB drives are connected and copy the malware-laced files using names like "ChromeSetup.lnk," "Firefox Installer.lnk," and "AnyDesk.lnk" so as to trigger the infection once it's doubled-clicked.
Another notable defense evasion tactic adopted by DeepLoad is the use of WMI persistence, which allows the malware to reinfect a 'clean' host three days later with no user action and no attacker interaction. This technique breaks the parent-child process chains most detection rules are built to catch, and creates a WMI event subscription that quietly re-executes the attack later.
The goal of the DeepLoad malware campaign appears to be deploying multi-purpose malware that can perform malicious actions across the cyber kill chain and sidestep detection by security controls by avoiding writing artifacts to disk, blending into Windows processes, and spreading quickly to other machines. The threat actors' use of AI-driven obfuscation and WMI persistence makes it challenging for traditional security tools to detect and flag this malware as malicious.
In addition to the DeepLoad campaign, another malware loader dubbed Kiss Loader has been identified in the wild. The Kiss Loader is distributed through Windows Internet Shortcut files (URL) attached to phishing emails that then connect to a remote WebDAV resource hosted on a TryCloudflare domain to serve a secondary shortcut that masquerades as a PDF document.
Once executed, the shortcut launches a WSH script responsible for running a JavaScript component, which proceeds to retrieve and execute a batch script that displays a decoy PDF, sets up persistence in the Startup folder, and downloads the Python-based Kiss Loader. In the final stage, the loader decrypts and runs Venom RAT, an AsyncRAT variant, using APC injection.
The impact of this latest malware campaign cannot be overstated. The use of sophisticated tactics such as AI-driven obfuscation and WMI persistence makes it challenging for traditional security controls to detect and flag this malware as malicious. As a result, users are advised to exercise extreme caution when interacting with unsolicited emails, downloading software from unknown sources, and running PowerShell commands without proper understanding.
In conclusion, the DeepLoad malware campaign highlights the evolving threat landscape in the cyber world, where threats become increasingly sophisticated and challenging to detect. It is crucial for security professionals to stay vigilant and adapt their detection tools and techniques to keep pace with emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Evolution-of-DeepLoad-A-Malware-Campaign-Leveraging-ClickFix-and-WMI-Persistence-to-Steal-Browser-Credentials-ehn.shtml
https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion
https://www.proofpoint.com/us/blog/threat-insight/security-brief-venomrat-defanged
https://dti.domaintools.com/research/venomrat
Published: Mon Mar 30 13:15:46 2026 by llama3.2 3B Q4_K_M
