Novel DeepLoad Malware Campaign: ClickFix and Possible AI-Backed Evasion
Published
Key Takeaways
- ClickFix delivery method: The DeepLoad malware infiltrates networks by tricking users into executing malicious commands, granting attackers immediate system access.
- AI-generated evasion: The payload bypasses traditional static security controls by utilizing sophisticated PowerShell obfuscation and executing in memory.
- Credential theft threat: This active campaign elevates enterprise cybersecurity risks by intercepting live user sessions and scraping stored passwords.
The DeepLoad malware campaign utilizes the ClickFix delivery method to deceive users into executing malicious scripts, quickly establishing persistent network access before manual triage can occur. The malware persisted via Windows Management Instrumentation (WMI) event subscriptions that allowed reinfection three days after the host appeared clean
Security researchers at ReliaQuest have identified this sophisticated new threat in enterprise environments, and in the observed campaign, DeepLoad also spread via USB drives.
Potentially AI-Generated Evasion
Once the ClickFix delivery method initiates the attack sequence, the payload likely relies on advanced AI-generated evasion to bypass static scanning protocols, the security researchers asserted, citing the vast amount of padding. After initial access via ClickFix, DeepLoad hides its payload inside LockAppHost.exe, the legitimate Windows lock screen process, via asynchronous procedure call (APC) injection.
The ClickFix command created a scheduled task to re-execute the loader. “From there, mshta.exe, a legitimate Windows utility often abused for remote script execution, reached the attacker's staging infrastructure and pulled down an obfuscated PowerShell loader,” the report added.
The PowerShell loader conceals its functional code beneath thousands of benign variable assignments that resemble routine scripting. A short exclusive OR (XOR) routine decrypted an in-memory shellcode container using a hardcoded key.
Escalating Enterprise Cybersecurity Risks
The DeepLoad malware introduces severe enterprise cybersecurity risks through rapid and persistent credential theft. Even if security administrators successfully block the primary loader, a standalone stealth component, filemanager.exe, continues to scrape stored system passwords. Simultaneously, a dropped malicious browser extension intercepts live user sessions and captures keystrokes in real time.
Furthermore, this malware campaign achieves long-term network persistence through hidden Windows Management Instrumentation (WMI) event subscriptions. To effectively mitigate these advanced enterprise cybersecurity risks, organizations must:
- Deploy runtime behavioral monitoring,
- Audit exposed WMI subscriptions,
- Rotate credentials across all compromised endpoints.
- Monitor for unexpected mshta.exe outbound connections, newly created scheduled tasks, and PowerShell launched with an execution policy bypass.
While the ErrTraffic ClickFix tool industrialized social engineering malware via fake website glitches in early 2026, a free ‘ClickFix Hunter’ tool was soon made available to track the growing social engineering epidemic.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular