DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

Summary

A new malware campaign leverages the ClickFix social engineering tactic to distribute DeepLoad, a previously undocumented malware loader that steals browser credentials and uses AI-assisted obfuscation to evade detection. DeepLoad employs multiple evasion techniques including process injection, WMI persistence, malicious browser extensions, and USB propagation. The malware can reinfect systems days later without user action and breaks detection rule chains by using WMI event subscriptions.

Full text

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials Ravie LakshmananMar 30, 2026Threat Intelligence / Browser Security A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad. "It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked," ReliaQuest researchers Thassanai McCabe and Andrew Currie said in a report shared with The Hacker News. The starting point of the attack chain is a ClickFix lure that tricks users into running PowerShell commands by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent issue. This, in turn, uses "mshta.exe," a legitimate Windows utility to download and run an obfuscated PowerShell loader. The loader, for its part, has been found to conceal its actual functionality among meaningless variable assignments, likely in an attempt to deceive security tools. It's assessed that the threat actors relied on an artificial intelligence (AI) tool to develop the obfuscation layer. DeepLoad makes deliberate efforts to blend in with regular Windows activity and fly under the radar. This includes hiding the payload within an executable named "LockAppHost.exe," a legitimate Windows process that manages the lock screen. In addition, the malware covers up its own tracks by disabling PowerShell command history and invoking native Windows core functions directly instead of relying on PowerShell's built-in commands to launch processes and modify memory. In doing so, it bypasses common monitoring hooks that keep tabs on PowerShell-based activity. "To evade file-based detection, DeepLoad generates a secondary component on the fly by using the built-in PowerShell feature Add-Type, which compiles and runs code written in C#," ReliaQuest said. "This produces a temporary Dynamic Link Library (DLL) file dropped into the user's Temp directory." This offers a way for the malware to sidestep file name-based detections, as the DLL is compiled every time it's executed and written with a randomized file name. Another notable defense evasion tactic adopted by DeepLoad is the use of asynchronous procedure call (APC) injection to run the main payload inside a trusted Windows process without a decoded payload written to disk after launching the target process in a suspended state, writing shellcode into its memory, and then resuming the execution of the process. DeepLoad is designed to facilitate credential theft by extracting browser passwords from the host. It also drops a malicious browser extension that intercepts credentials as they are being entered on login pages and persists across user sessions unless it's explicitly removed. A more dangerous feature of the malware is its ability to automatically detect when removable media devices like USB drives are connected and copy the malware-laced files using names like "ChromeSetup.lnk," "Firefox Installer.lnk," and "AnyDesk.lnk" so as to trigger the infection once it's doubled-clicked. "DeepLoad used Windows Management Instrumentation (WMI) to reinfect a 'clean' host three days later with no user action and no attacker interaction," ReliaQuest explained. "WMI served two purposes: It broke the parent-child process chains most detection rules are built to catch, and it created a WMI event subscription that quietly re-executed the attack later." The goal, it appears, is to deploy multi-purpose malware that can perform malicious actions across the cyber kill chain and sidestep detection by security controls by avoiding writing artifacts to disk, blending into Windows processes, and spreading quickly to other machines. The disclosure comes as G DATA detailed another malware loader dubbed Kiss Loader that's distributed through Windows Internet Shortcut files (URL) attached to phishing emails, which then connects to a remote WebDAV resource hosted on a TryCloudflare domain to serve a secondary shortcut that masquerades as a PDF document. Once executed, the shortcut launches a WSH script responsible for running a JavaScript component, which proceeds to retrieve and execute a batch script that displays a decoy PDF, sets up persistence in the Startup folder, and downloads the Python-based Kiss Loader. In the final stage, the loader decrypts and runs Venom RAT, an AsyncRAT variant, using APC injection. It's currently not known how widespread attacks deploying Kiss Loader are, and if it's being offered under a malware-as-a-service (MaaS) model. That said, the threat actor behind the loader claims to be from Malawi. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  browser security, cybersecurity, Malware, Phishing, powershell, ransomware, social engineering, Threat Intelligence, windows security Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — DeepLoad
• malware — Kiss Loader
• malware — Venom RAT