Cybersecurity researchers have identified a newly emerging malware campaign distributing a previously undocumented loader called DeepLoad, leveraging ClickFix social engineering techniques to infect systems and steal sensitive data.
ClickFix Lure Initiates the Attack Chain
The infection begins with a deceptive ClickFix prompt that convinces users to execute a PowerShell command manually. Victims are instructed to paste a command into the Windows Run dialog under the false assumption that it will fix a system issue.
This action triggers the use of mshta.exe, a legitimate Windows utility, to download and execute an obfuscated PowerShell-based loader.
Advanced Obfuscation and Evasion Techniques
According to ReliaQuest, the loader is heavily obfuscated, with its malicious functionality hidden among meaningless code variables. Researchers suspect that artificial intelligence tools were used to create this obfuscation layer.
DeepLoad blends into normal system activity by disguising itself as LockAppHost.exe, a legitimate Windows process associated with the lock screen. It also disables PowerShell command history to conceal its execution traces.
Additionally, instead of relying on standard PowerShell commands, the malware directly invokes native Windows functions, allowing it to bypass monitoring mechanisms that typically detect suspicious PowerShell activity.
Fileless Execution and Memory-Based Payloads
To avoid detection, DeepLoad dynamically generates a secondary payload using PowerShell’s Add-Type feature, which compiles C# code into a temporary DLL file stored in the system’s Temp directory.
This DLL is created with randomized file names each time it runs, making signature-based detection significantly harder.
Another key technique used is asynchronous procedure call (APC) injection, which allows the malware to inject its payload into trusted Windows processes without writing the decoded payload to disk.
Credential Theft and Browser Manipulation
DeepLoad is designed to harvest sensitive data by extracting saved browser credentials. It also installs a malicious browser extension capable of intercepting login details in real time.
This extension remains active across sessions unless manually removed, enabling continuous data collection.
USB Propagation Capability
The malware includes a self-spreading mechanism that activates when removable storage devices, such as USB drives, are connected.
It copies malicious shortcut files with names like:
- ChromeSetup.lnk
- Firefox Installer.lnk
- AnyDesk.lnk
These files are crafted to trick users into executing them, further spreading the infection.
WMI-Based Persistence Mechanism
A particularly stealthy feature of DeepLoad is its use of Windows Management Instrumentation (WMI) for persistence.
The malware creates a WMI event subscription that silently re-executes the attack after a delay, even if the system appears to have been cleaned. This technique also disrupts traditional detection methods that rely on tracking process relationships.
Broader Threat Capabilities
DeepLoad appears to be designed as a multi-purpose malware platform capable of operating across different stages of the cyber kill chain. Its ability to avoid disk-based artifacts, integrate with legitimate processes, and spread through removable media makes it especially dangerous.
Related Threat: Kiss Loader Emerges
In a related development, researchers have also identified another malware loader known as Kiss Loader.
This threat is delivered through phishing emails containing Windows Internet Shortcut (URL) files. These files connect to remote WebDAV servers hosted on TryCloudflare domains, eventually delivering a payload disguised as a PDF.
Once executed, the infection chain includes:
- Launching scripts via Windows Script Host
- Displaying decoy PDF files
- Establishing persistence in the Startup folder
- Downloading and executing the Python-based loader
In its final stage, Kiss Loader deploys Venom RAT, a variant of AsyncRAT, using APC injection.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
