A new campaign uses the ClickFix tactic to spread DeepLoad, a sophisticated malware loader that employs AI-generated obfuscation to bypass security scanners. Once active, the malware immediately targets browser credentials and uses advanced techniques like process injection and USB propagation to maintain a persistent, stealthy presence on infected systems.
The DeepLoad malware campaign begins with a social engineering trick known as ClickFix, which convinces users to manually paste and execute malicious PowerShell commands under the guise of fixing a system error. This initial action triggers a legitimate Windows utility to download a secondary loader that is heavily disguised using AI-assisted techniques. By burying its true intent within randomized code and variables, the malware successfully avoids detection by many traditional security tools and automated scanners.
Once the system is compromised, DeepLoad goes to great lengths to remain hidden by masquerading as a native Windows process responsible for the lock screen. It further evades monitoring by disabling PowerShell history and interacting directly with core system functions rather than using standard commands. To bypass file-based defenses, the malware dynamically compiles temporary components with randomized names, ensuring that there is no consistent file signature for antivirus software to identify.
The primary objective of DeepLoad is the immediate and comprehensive theft of user data, specifically targeting passwords and active sessions stored in web browsers. It even installs a malicious browser extension to intercept login information in real-time as the user types it. Beyond simple theft, the malware is designed to spread autonomously by copying itself onto any USB drives or removable media connected to the machine, often disguised as common installers for web browsers or remote desktop software.
Persistence is a core feature of this threat, as it utilizes Windows Management Instrumentation to re-infect the host even after a cleanup attempt has been made. By scheduling delayed execution events, the malware can stay dormant and then re-activate days later without any further interaction from the user or the attacker. This technique also breaks the logical chain of events that security software typically monitors, making it much harder for IT teams to trace the original source of the infection.
While the exact origins and full scale of the DeepLoad campaign remain unclear, researchers believe its templated design suggests it may be part of a broader malware-as-a-service framework. At the same time, other similar loaders like Kiss Loader are emerging through phishing emails and cloud-hosted resources, indicating a growing trend in sophisticated, multi-stage attack chains. Both threats highlight an increasing reliance on fileless execution and legitimate system tools to deliver damaging payloads like remote access trojans.
Source: https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/