Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

DeepLoad

DeepLoad is a credential-stealing malware/loader tracked by ReliaQuest and observed targeting enterprise IT environments. It is delivered via the ClickFix social-engineering technique, including fake browser prompts or error pages that trick users into executing malicious PowerShell commands through Windows Run, Windows Terminal, or PowerShell. The infection chain abuses mshta.exe to contact attacker-controlled staging infrastructure and retrieve a heavily obfuscated PowerShell loader. Reporting states the loader contains thousands of meaningless variable assignments, assessed with high confidence by ReliaQuest to be AI-generated obfuscation intended to hinder static analysis and evade detection.

DeepLoad establishes persistence through a scheduled task that re-executes the loader on reboot and through hidden WMI event subscriptions that can silently redeploy the malware after apparent remediation. In at least one observed case, a WMI subscription re-executed the attack three days after a host appeared clean. The malware operates largely filelessly, decrypting payloads in memory via a short XOR routine, using PowerShell Add-Type to compile a temporary C# injector/DLL with randomized filenames, and performing APC-based process injection into LockAppHost.exe, a legitimate Windows lock screen process.

Its primary capability is credential theft. ReliaQuest reported that DeepLoad can collect stored credentials, extract browser passwords, capture newly entered credentials in real time via keylogging, and deploy a malicious browser extension that steals passwords and session tokens as users type them. A credential stealer named filemanager.exe may be dropped and can continue exfiltrating data over its own command-and-control channel even if the primary loader is blocked. DeepLoad was also observed disabling PowerShell command history to reduce forensic visibility.

The campaign was observed spreading to connected USB drives within minutes of infection, writing more than 40 disguised files including fake Chrome, Firefox, and AnyDesk installers or shortcuts, indicating likely propagation beyond the initially infected host. Researchers also observed ClickFix campaigns delivering DeepLoad on Windows systems. High-confidence indicators and artifacts mentioned in the content include abuse of mshta.exe, scheduled tasks, WMI event subscriptions, injection into LockAppHost.exe, the dropped stealer filemanager.exe, malicious browser extensions, and USB-borne lure filenames such as ChromeSetup.lnk, Firefox Installer.lnk, and AnyDesk.lnk.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

25 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1091Replication Through Removable MediaEvidence4

the loader spread to connected USB drives

T1566PhishingEvidence1

It is common for attackers to compromise legitimate websites or create convincing phishing pages and substitute counterfeit CAPTCHA screens for verification prompts that require visitors to perform a series of manual tasks, including executing a command copied to the clipboard.

Execution

5 techniques
T1053Scheduled Task/JobEvidence1

In this instance, the command immediately creates a scheduled task to re-execute the loader, so it persists across reboots or partial detection, without the user having to do anything thereafter.

T1053.005Scheduled TaskEvidence2

In this campaign, this one command was enough to establish persistent, reboot-surviving access by creating a scheduled task configured to repeatedly re-execute the loader.

T1059.001PowerShellEvidence4

These commands typically launch PowerShell, which retrieves and executes remote payloads, thereby enabling the deployment of information stealers and other malicious applications.

T1204User ExecutionEvidence4

Malicious browser prompts or error pages have been leveraged by attackers to lure targets into executing a command

T1204.004Malicious Copy and PasteEvidence1

A dedicated entry under technique T1204.004 has also been made under the MITER ATT&CK framework, recognising ClickFix as a unique form of user-assisted malicious execution.

Persistence

4 techniques
T1053Scheduled Task/JobEvidence1

In this instance, the command immediately creates a scheduled task to re-execute the loader, so it persists across reboots or partial detection, without the user having to do anything thereafter.

T1053.005Scheduled TaskEvidence2

In this campaign, this one command was enough to establish persistent, reboot-surviving access by creating a scheduled task configured to repeatedly re-execute the loader.

T1176Software ExtensionsEvidence1

A malicious browser extension captures passwords and session tokens as users type them, persisting across sessions until removed.

T1546.003Windows Management Instrumentation Event SubscriptionEvidence3

The security firm also said organizations need to watch for hackers’ abuse of the Windows Management Instrumentation event subscription feature ... hackers are abusing the feature to redeploy DeepLoad after remediation.

Privilege Escalation

5 techniques
T1053Scheduled Task/JobEvidence1

In this instance, the command immediately creates a scheduled task to re-execute the loader, so it persists across reboots or partial detection, without the user having to do anything thereafter.

T1053.005Scheduled TaskEvidence2

In this campaign, this one command was enough to establish persistent, reboot-surviving access by creating a scheduled task configured to repeatedly re-execute the loader.

T1055Process InjectionEvidence3

ReliaQuest’s report also describes how the DeepLoad malware hides in the Windows operation system by embedding itself in the rarely scrutinized process that runs the Windows lock screen.

T1055.004Asynchronous Procedure CallEvidence1

Through asynchronous procedure call (APC) injection, the loader places shellcode into that process’s memory and triggers execution on resume...

T1546.003Windows Management Instrumentation Event SubscriptionEvidence3

The security firm also said organizations need to watch for hackers’ abuse of the Windows Management Instrumentation event subscription feature ... hackers are abusing the feature to redeploy DeepLoad after remediation.

Stealth

10 techniques
T1027Obfuscated Files or InformationEvidence5

That loader contained “thousands of meaningless variable assignments that resemble routine scripting,” and researchers said this “busy” design was meant to hide the loader’s malicious functionality inside the noise.

T1027.004Compile After DeliveryEvidence1

To carry out the injection DeepLoad uses a PowerShell feature called Add-Type to generate a temporary Dynamic Link Library (DLL) that is dropped into the compromised computer's Temp directory.

T1027.009Embedded PayloadsEvidence1

ReliaQuest urged organizations to perform ongoing behavioral analysis of computers on their networks to catch the malware in the act, given that its fileless operations can bypass more traditional static defenses.

T1036MasqueradingEvidence1

The security vendor found the malware writing more than 40 files disguised as Chrome setup files, Firefox installers, AnyDesk shortcuts and other familiar installers, to the USB drive of a compromised host.

T1055Process InjectionEvidence3

ReliaQuest’s report also describes how the DeepLoad malware hides in the Windows operation system by embedding itself in the rarely scrutinized process that runs the Windows lock screen.

T1055.004Asynchronous Procedure CallEvidence1

Through asynchronous procedure call (APC) injection, the loader places shellcode into that process’s memory and triggers execution on resume...

T1070Indicator RemovalEvidence1

The malware also disables PowerShell command history to cover its own tracks.

T1140Deobfuscate/Decode Files or InformationEvidence1

The actual logic — a short XOR decryption routine — sits at the bottom and decrypts shellcode in memory, so no decoded payload touches disk.

T1218.005MshtaEvidence3

From there, mshta.exe, a legitimate Windows utility often abused for remote script execution, reached the attacker’s staging infrastructure and pulled down an obfuscated PowerShell loader.

T1620Reflective Code LoadingEvidence2

...decrypts shellcode in memory, so no decoded payload touches disk.

Credential Access

4 techniques
T1056.001KeyloggingEvidence3

Injection of DeepLoad enabled real-time keylogging

T1539Steal Web Session CookieEvidence2

A malicious browser extension captures passwords and session tokens as users type them, persisting across sessions until removed.

T1555Credentials from Password StoresEvidence1

Researchers have uncovered a new malware strain capable of stealing credentials immediately after gaining a foothold on a victim network, capturing both stored browser passwords and live keystrokes in real time through a standalone stealer and a malicious browser extension.

T1649Steal or Forge Authentication CertificatesEvidence2

Because the malware can collect both stored credentials and passwords that users enter after the compromise, ReliaQuest urged compromised organizations to change all passwords that an affected machine can access.

Lateral Movement

1 technique
T1091Replication Through Removable MediaEvidence4

the loader spread to connected USB drives

Collection

1 technique
T1056.001KeyloggingEvidence3

Injection of DeepLoad enabled real-time keylogging

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

...uses mshta.exe, a legitimate Windows utility, to fetch an obfuscated payload from attacker-controlled infrastructure.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Before the main attack chain finishes, a standalone credential stealer, filemanager.exe, is already running on its own infrastructure and can exfiltrate data even if the main loader is detected and blocked.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
3 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping25

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.