DeepLoad malware turns one fake fix into lasting enterprise access
6 min. read 
Published on
DeepLoad is a newly reported malware threat that targets enterprise users through ClickFix, a social-engineering trick that pushes people to run a malicious command themselves. In the cases ReliaQuest analyzed, one pasted PowerShell command was enough to create persistence, launch a follow-on payload, and open the door to credential theft.
What makes DeepLoad important is not just the initial infection. Researchers say the malware chain combines fileless execution, likely AI-assisted obfuscation, process injection, browser credential theft, and hidden WMI persistence, which means a machine can appear clean and still get reinfected days later.
For security teams, the practical takeaway is clear. Traditional file-based scanning alone will miss key parts of this campaign, so defenders need runtime telemetry, PowerShell visibility, browser extension auditing, and explicit checks for WMI event subscriptions before they return any affected device to production.
How DeepLoad gets in
The infection starts with ClickFix, a tactic Microsoft has also warned about. Attackers use fake browser errors or similar prompts to trick a user into opening Windows Run or a terminal and pasting a command that looks like a fix. Once the command runs, the attacker skips many of the barriers that normally block malware delivery.
In ReliaQuest’s DeepLoad cases, that command created a scheduled task to keep the malware chain alive after reboot. The next stage used mshta.exe, a legitimate Windows component that attackers often abuse for remote script execution, to pull down an obfuscated PowerShell loader from attacker-controlled infrastructure.
Researchers also found that the staging domains began serving malicious content within the first 22 minutes of going live. That short window matters because it cuts the time defenders have for manual triage and containment.
Why DeepLoad is hard to catch
ReliaQuest says the PowerShell loader buried its real logic under thousands of meaningless variable assignments. The useful code sat near the bottom and used a short XOR decryption routine to unpack shellcode in memory, which meant the decoded payload never had to touch disk.
The researchers assessed with high confidence that AI helped generate this obfuscation layer. That matters because attackers can rebuild noisy variants quickly, which makes static signatures less useful over time. Independent coverage from The Hacker News and Dark Reading echoed that assessment after reviewing ReliaQuest’s findings.
DeepLoad also compiles a fresh C# injector through PowerShell Add-Type, writes a randomized DLL, and then injects code into a trusted Windows process. On investigated hosts, it chose LockAppHost.exe, the Windows lock-screen process, and used APC injection to trigger execution from memory.
What the malware steals and spreads
Credential theft begins early in the chain. ReliaQuest says filemanager.exe runs on a separate command-and-control channel, which lets the attackers keep stealing data even if defenders interrupt the main loader path. The malware can pull saved browser credentials and capture live activity through a malicious browser extension.
That browser extension raises the risk further because it can intercept passwords and session data as users type or browse. In practice, that means incident response cannot stop at deleting files or killing one process. Teams need to treat saved passwords, active sessions, browser tokens, and accounts used on the infected host as exposed.
The campaign also showed signs of USB propagation. Within ten minutes of infection, researchers observed USB-related traffic, and when drives were connected, the malware wrote more than 40 disguised shortcut files such as fake Chrome, Firefox, and AnyDesk installers that could restart the infection on another machine.
DeepLoad at a glance
| Area | What researchers observed | Why it matters |
|---|---|---|
| Initial access | ClickFix prompt tricks user into running PowerShell | Bypasses many normal download warnings |
| Persistence | Scheduled task plus WMI event subscription | Infection can survive reboot and cleanup |
| Execution | mshta.exe pulls obfuscated loader | Uses legitimate Windows tooling |
| Evasion | Likely AI-assisted junk code and in-memory decryption | Static scanning becomes less effective |
| Injection | Fresh DLL via Add-Type, then APC injection | Payload runs inside trusted process |
| Credential theft | filemanager.exe plus malicious browser extension | Saved passwords and live sessions both at risk |
| Spread | USB shortcuts disguised as installers | Threat can move beyond first host |
What defenders should do now
Security teams should review any host that shows suspicious PowerShell use, new scheduled tasks, unexpected mshta.exe network traffic, or unusual activity from LockAppHost.exe. Those signals may look minor on their own, but together they match the behavior ReliaQuest described in this campaign.
PowerShell Script Block Logging deserves special attention here because Microsoft says it records the content of script blocks PowerShell processes. That gives defenders a better chance to capture commands that would otherwise stay hidden behind obfuscation.
Teams also need to audit WMI event subscriptions directly, not just files and tasks. Microsoft’s documentation shows that WMI has an event infrastructure built for persistent triggers, and ReliaQuest says a surviving WMI subscription in one case relaunched the malware three days after the host appeared clean.
Immediate response checklist
- Isolate affected endpoints from the network.
- Reset passwords, revoke sessions, and rotate credentials used on infected hosts.
- Remove unapproved browser extensions from affected systems.
- Audit USB devices connected to infected endpoints before reuse.
- Enumerate and remove suspicious WMI event subscriptions.
- Enable Script Block Logging and strengthen EDR behavior-based detection.
Key indicators security teams should hunt for
- PowerShell launched with execution-policy bypass.
- Newly created scheduled tasks tied to suspicious scripts.
- Unexpected outbound traffic from
mshta.exe. - Activity from
LockAppHost.exethat includes network access. - WMI-triggered PowerShell activity after apparent remediation.
- Browser extensions installed outside normal IT workflows.
FAQ
DeepLoad is a malware campaign reported by ReliaQuest that uses ClickFix delivery, fileless execution, credential theft, process injection, and hidden persistence inside enterprise environments.
It starts with a fake error or repair prompt that tricks a user into pasting and running a malicious PowerShell command. That command can create persistence and launch the next stage of the attack.
Because the malware does not rely only on files on disk. It can run in memory, inject into trusted Windows processes, and persist through WMI event subscriptions that many cleanup workflows miss.
Yes. Researchers say it can steal saved browser credentials and also capture live user input and session data through a malicious browser extension.
There is no single fix, but behavior-based detection, PowerShell logging, credential rotation, browser extension review, and WMI subscription cleanup are the most important immediate actions.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages