Security researchers have analyzed a new malware strain tracked as DeepLoad, which is capable of capturing credentials immediately after gaining a foothold on a network. The malware relies on a standalone stealer and an unsafe browser extension to capture both stored browser passwords and live keystrokes in real time.
According to ReliaQuest, DeepLoad presents unique containment challenges due to its likely use of AI-generated code for evasion and process injection techniques that bypass static detection. It also establishes a persistence mechanism that can silently re-execute the execution chain even after an affected host appears fully remediated.
DeepLoad delivery via ClickFix
DeepLoad operators distribute the credential stealer across enterprise environments using the ClickFix social engineering technique. This method begins with affected users receiving fake browser prompts that ask them to execute a seemingly benign command to resolve a fabricated system error.
When executed, this command immediately creates a scheduled task to re-execute the loader. This ensures the unauthorized access persists across system reboots or partial detection without any further user interaction. The sequence then uses mshta.exe, a legitimate Windows utility, to communicate with external infrastructure and download a heavily obfuscated PowerShell loader.
Because DeepLoad captures credentials from the moment it lands, even partial containment can leave an organization with exposed passwords, active session tokens, and compromised accounts. Before the primary execution chain finishes, a standalone credential stealer named filemanager.exe begins running on its own infrastructure. This component can exfiltrate data even if the main loader is subsequently detected and blocked. Additionally, the malware drops and registers a browser extension that captures credentials as users type them, persisting across browser sessions until explicitly removed.
Heavily padded loader and process injection
Analysis of DeepLoad indicates that its functional code is hidden beneath thousands of lines of irrelevant code. This volume of padding appears specifically designed to overwhelm static scanning tools, leaving them with no identifiable signatures to flag. The scale and structure of this padding suggest it was likely developed by an AI model rather than a human programmer.
DeepLoad’s core logic consists of a short decryption routine that unpacks its active component entirely in memory. Once unpacked, this component is injected into LockAppHost.exe, a legitimate Windows process that manages the lock screen. Security tools typically do not actively monitor this process, making it an effective location for unauthorized activity.
To carry out the injection, DeepLoad leverages a PowerShell feature called Add-Type to generate a temporary Dynamic Link Library (DLL), which is then dropped into the affected computer's Temp directory. The malware compiles this DLL freshly on every execution, assigning it a randomized filename to ensure that security tools scanning for specific indicators will not find a match. The sequence also disables PowerShell command history to obscure its tracks.
During the evaluated campaign, DeepLoad also demonstrated lateral movement capabilities by spreading to connected USB drives within 10 minutes of the initial infection. The malware wrote more than 40 files to the USB drive of the affected host, disguising them as familiar installers for applications like Chrome, Firefox, and AnyDesk. This mechanism increases the likelihood of a user executing one of the deceptive installers and exposing another machine. It remains unclear whether USB propagation is a permanent feature of DeepLoad or a modular addition for this specific campaign.
Standard remediation is not enough
Standard cleanup procedures—such as removing scheduled tasks, temporary files, and familiar indicators of compromise (IOCs)—are not sufficient to fully remediate DeepLoad. The malware creates a persistent trigger within Windows Management Instrumentation (WMI) that automatically reruns the sequence without any further user interaction. In one investigated incident, this mechanism re-executed the unauthorized access a full three days after the affected host appeared to be thoroughly cleaned.
To properly secure affected environments, organizations must audit and remove WMI event subscriptions on exposed hosts before returning them to production. Security teams should enable PowerShell Script Block Logging and behavioral endpoint monitoring to identify unauthorized activity, as traditional file-based scanning will not detect the padded loader. Furthermore, organizations must rotate all credentials associated with an affected system, including saved passwords, active session tokens, and accounts that were in use during the exposure period.
The evidence of AI-generated code suggests a realistic probability that obfuscation techniques will evolve from generic noise to padding tailored specifically to the targeted environment. As WMI subscriptions are added to standard remediation checklists, threat actors will likely shift their persistence mechanisms to other legitimate Windows features that currently receive less scrutiny.