DeepLoad Malware Campaign Targets Enterprises with Persistent Credential Theft
A newly uncovered malware campaign, dubbed DeepLoad, is compromising enterprise environments by exploiting a single user action to establish persistent, credential-stealing access that evades standard security measures. The attack chain, identified by ReliaQuest analysts during active enterprise compromises, is designed to outmaneuver traditional defenses from the outset.
The infection begins with ClickFix, a tactic where attackers display a fake browser error page, tricking employees into pasting a PowerShell command into the Windows Run dialog under the guise of a "fix." This command creates a scheduled task that re-executes the loader on every reboot, leveraging the legitimate mshta.exe utility to fetch an obfuscated payload from attacker-controlled infrastructure. Staging domains were observed serving malicious content within just 22 minutes of going live, leaving defenders minimal time to respond.
Once active, DeepLoad rapidly escalates its impact. Credential theft begins almost immediately, with the malware spreading to USB drives within ten minutes of infection. The primary payload, filemanager.exe disguised as a benign process operates on its own command-and-control channel, continuing data exfiltration even if the initial loader is blocked. A malicious browser extension further captures passwords and session tokens in real time, persisting across user sessions until manually removed.
The malware also propagates via USB drives, writing over 40 disguised installer files including fake shortcuts for Chrome, Firefox, and AnyDesk that trigger full infections on any connected machine. Standard remediation proves ineffective due to a hidden WMI event subscription planted during the initial compromise. In one confirmed case, this subscription reactivated the malware three days after cleanup, silently redeploying filemanager.exe without user interaction.
DeepLoad employs advanced evasion techniques to bypass detection. Its PowerShell loader is padded with thousands of meaningless variable assignments, obscuring a short XOR decryption routine that executes shellcode in memory avoiding disk-based detection. ReliaQuest researchers assess with high confidence that AI generated this obfuscation layer, enabling rapid redeployment of new variants before defenders can adapt.
The malware further evades signature-based tools by compiling a fresh C# injector on the fly, producing a randomly named DLL. It then injects into LockAppHost.exe, the Windows lock screen process, which typically does not initiate outbound connections, making it an unlikely target for monitoring. Using asynchronous procedure call (APC) injection, the malware executes shellcode in memory without leaving traces on disk.
To mitigate risks, security teams are advised to enable PowerShell Script Block Logging to capture decoded runtime commands. WMI event subscriptions on affected hosts must be audited and cleared before systems return to production. All credentials accessible from infected hosts including saved passwords and session tokens require immediate rotation, and USB drives connected to compromised endpoints should be thoroughly audited. Behavioral and runtime detection, rather than file-based scanning, is recommended for identifying similar threats.
Source: https://cybersecuritynews.com/new-deepload-malware-uses-clickfix/
ReliaQuest cybersecurity rating report: https://www.rankiteo.com/company/reliaquest
"id": "REL1774952953",
"linkid": "reliaquest",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': 'Social Engineering (Fake Browser Error Page), PowerShell '
'Execution, Scheduled Tasks, USB Propagation',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Session Tokens',
'Personally Identifiable '
'Information (PII)']},
'description': 'A newly uncovered malware campaign, dubbed *DeepLoad*, is '
'compromising enterprise environments by exploiting a single '
'user action to establish persistent, credential-stealing '
'access that evades standard security measures. The attack '
'chain begins with a fake browser error page (*ClickFix*) '
'tricking employees into executing a PowerShell command, '
'leading to scheduled task creation, credential theft, USB '
'propagation, and advanced evasion techniques.',
'impact': {'data_compromised': 'Credentials, Session Tokens, Personally '
'Identifiable Information (PII)',
'identity_theft_risk': 'High',
'operational_impact': 'Persistent malware reinfection, credential '
'theft, potential lateral movement',
'systems_affected': 'Enterprise environments, Windows systems, '
'USB-connected machines'},
'initial_access_broker': {'backdoors_established': 'Scheduled tasks, WMI '
'event subscriptions, '
'malicious browser '
'extensions',
'entry_point': 'Fake browser error page '
'(*ClickFix*)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Standard remediation may fail due to hidden persistence '
'mechanisms (e.g., WMI event subscriptions). Behavioral '
'and runtime detection is critical for identifying '
'advanced threats. Credential rotation and USB audits are '
'essential post-compromise.',
'motivation': 'Credential Theft, Data Exfiltration, Persistent Access',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring, '
'credential rotation, USB '
'audits, behavioral '
'detection implementation',
'root_causes': 'Social engineering (fake error '
'page), PowerShell execution, lack '
'of behavioral detection, hidden '
'persistence mechanisms (WMI '
'subscriptions)'},
'recommendations': ['Enable PowerShell Script Block Logging to capture '
'decoded runtime commands.',
'Audit and clear WMI event subscriptions on affected '
'hosts before returning systems to production.',
'Rotate all credentials accessible from infected hosts, '
'including saved passwords and session tokens.',
'Thoroughly audit USB drives connected to compromised '
'endpoints.',
'Implement behavioral and runtime detection rather than '
'relying solely on file-based scanning.'],
'references': [{'source': 'ReliaQuest'}],
'response': {'containment_measures': 'Audit and clear WMI event '
'subscriptions, rotate credentials, '
'audit USB drives',
'enhanced_monitoring': 'Behavioral and runtime detection '
'recommended',
'recovery_measures': 'Manual removal of malicious browser '
'extensions, thorough cleanup of infected '
'systems',
'remediation_measures': 'Enable PowerShell Script Block Logging, '
'behavioral and runtime detection',
'third_party_assistance': 'ReliaQuest analysts'},
'title': 'DeepLoad Malware Campaign Targets Enterprises with Persistent '
'Credential Theft',
'type': 'Malware Campaign'}