DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

AndyC 31 March 2026

Insights

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

Ravie LakshmananMar 30, 2026Threat Intelligence / Browser Security

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad.

“It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked,” ReliaQuest researchers Thassanai McCabe and Andrew Currie said in a report shared with The Hacker News.

The starting point of the attack chain is a ClickFix lure that tricks users into running PowerShell commands by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent issue. This, in turn, uses “mshta.exe,” a legitimate Windows utility to download and run an obfuscated PowerShell loader.

The loader, for its part, has been found to conceal its actual functionality among meaningless variable assignments, likely in an attempt to deceive security tools. It’s assessed that the threat actors relied on an artificial intelligence (AI) tool to develop the obfuscation layer.

DeepLoad makes deliberate efforts to blend in with regular Windows activity and fly under the radar. This includes hiding the payload within an executable named “LockAppHost.exe,” a legitimate Windows process that manages the lock screen.

In addition, the malware covers up its own tracks by disabling PowerShell command history and invoking native Windows core functions directly instead of relying on PowerShell’s built-in commands to launch processes and modify memory. In doing so, it bypasses common monitoring hooks that keep tabs on PowerShell-based activity.

“To evade file-based detection, DeepLoad generates a secondary component on the fly by using the built-in PowerShell feature Add-Type, which compiles and runs code written in C#,” ReliaQuest said. “This produces a temporary Dynamic Link Library (DLL) file dropped into the user’s Temp directory.”

This offers a way for the malware to sidestep file name-based detections, as the DLL is compiled every time it’s executed and written with a randomized file name.

Another notable defense evasion tactic adopted by DeepLoad is the use of asynchronous procedure call (APC) injection to run the main payload inside a trusted Windows process without a decoded payload written to disk after launching the target process in a suspended state, writing shellcode into its memory, and then resuming the execution of the process.

DeepLoad is designed to facilitate credential theft by extracting browser passwords from the host. It also drops a malicious browser extension that intercepts credentials as they are being entered on login pages and persists across user sessions unless it’s explicitly removed.

A more dangerous feature of the malware is its ability to automatically detect when removable media devices like USB drives are connected and copy the malware-laced files using names like “ChromeSetup.lnk,” “Firefox Installer.lnk,” and “AnyDesk.lnk” so as to trigger the infection once it’s doubled-clicked.

“DeepLoad used Windows Management Instrumentation (WMI) to reinfect a ‘clean’ host three days later with no user action and no attacker interaction,” ReliaQuest explained. “WMI served two purposes: It broke the parent-child process chains most detection rules are built to catch, and it created a WMI event subscription that quietly re-executed the attack later.”

The goal, it appears, is to deploy multi-purpose malware that can perform malicious actions across the cyber kill chain and sidestep detection by security controls by avoiding writing artifacts to disk, blending into Windows processes, and spreading quickly to other machines.

The disclosure comes as G DATA detailed another malware loader dubbed Kiss Loader that’s distributed through Windows Internet Shortcut files (URL) attached to phishing emails, which then connects to a remote WebDAV resource hosted on a TryCloudflare domain to serve a secondary shortcut that masquerades as a PDF document.

Once executed, the shortcut launches a WSH script responsible for running a JavaScript component, which proceeds to retrieve and execute a batch script that displays a decoy PDF, sets up persistence in the Startup folder, and downloads the Python-based Kiss Loader. In the final stage, the loader decrypts and runs Venom RAT, an AsyncRAT variant, using APC injection.

It’s currently not known how widespread attacks deploying Kiss Loader are, and if it’s being offered under a malware-as-a-service (MaaS) model. That said, the threat actor behind the loader claims to be from Malawi.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

What do you feel about this?

More Stories

⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More

⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More

AndyC 31 March 2026
3 SOC Process Fixes That Unlock Tier 1 Productivity

3 SOC Process Fixes That Unlock Tier 1 Productivity

AndyC 31 March 2026
The State of Secrets Sprawl 2026: 9 Takeaways for CISOs

The State of Secrets Sprawl 2026: 9 Takeaways for CISOs

AndyC 31 March 2026
Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels

Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels

AndyC 31 March 2026
Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

AndyC 31 March 2026
Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack

Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack

AndyC 29 March 2026

You may have missed

The AI Exchange: Innovators in Payment Security Featuring Flywire

The AI Exchange: Innovators in Payment Security Featuring Flywire

AndyC 31 March 2026
China-Linked groups target Southeast Asian government with advanced malware in 2025

China-Linked groups target Southeast Asian government with advanced malware in 2025

AndyC 31 March 2026
It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

AndyC 31 March 2026
HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

AndyC 31 March 2026
What the FBI Director Breach Reveals About Executive Digital Exposure

Breach Readiness in the Age of Mythos: When Your AI Thinks, Learns, and Defends

AndyC 31 March 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.