DeepLoad Malware - AI-Generated Code Evades Detection, Targets Enterprise Networks

Overview of DeepLoad Malware

A newly discovered malware campaign, known as DeepLoad, is utilizing ClickFix delivery methods in conjunction with AI-generated evasion techniques to infiltrate enterprise environments. This sophisticated malware transforms a single user action into persistent, credential-stealing access that survives system reboots and outlasts standard cleanup efforts. According to cybersecurity researchers at ReliaQuest, the malware campaign poses an immediate threat to businesses as it exploits common security controls that organizations rely on.

How DeepLoad Works

DeepLoad initially appears through ClickFix, where attackers present a fake browser error page and instruct users to input a PowerShell command into their Windows Run dialog to 'fix' the issue. This command creates a scheduled task that re-executes the malware loader on every reboot, utilizing mshta.exe—a legitimate Windows utility—to fetch an obfuscated payload from attacker-controlled infrastructure. Notably, the staging domains for this malware were serving malicious content within just 22 minutes of going live, providing response teams with minimal time to react.

Credential Stealing Mechanism

The malware drops a credential stealer named filemanager.exe, which blends into process lists and operates on its own command-and-control channel, allowing it to steal data even if the primary loader is blocked. Additionally, it deploys a malicious browser extension that captures passwords and session tokens as users type, persisting across sessions until manually removed. Within ten minutes of infection, DeepLoad can propagate to USB drives, creating over 40 disguised installer files—including fake shortcuts for popular applications like Chrome and AnyDesk—ready to trigger full infections on any machine they touch.

Evasion Techniques

DeepLoad's evasion techniques are particularly advanced. Its PowerShell loader is padded with thousands of meaningless variable assignments, making it difficult for traditional security tools to detect. The actual malicious logic is buried within this padding, employing a short XOR decryption routine to decrypt shellcode in memory, ensuring no decoded payload touches the disk. ReliaQuest analysts believe that the obfuscation layer is likely generated by AI, enabling attackers to quickly rebuild and redeploy new variants before defenders can adjust their detection strategies.

Injection and Execution

Once operational, the loader uses PowerShell’s Add-Type feature to compile a fresh C# injector on the fly, producing a randomly named DLL that signature-based tools cannot match. The malware then injects itself into trusted Windows processes, such as LockAppHost.exe, which typically does not initiate outbound connections, making it less likely to be monitored by security tools. This process allows DeepLoad to execute its shellcode without leaving a trace on the disk.

How to Protect Yourself

To defend against DeepLoad, security teams are advised to enable PowerShell Script Block Logging to capture decoded runtime commands, audit all WMI event subscriptions on affected hosts, and ensure that every credential reachable from a confirmed infected host is rotated immediately. Additionally, all USB drives connected to affected endpoints should be audited before reuse, and any unauthorized browser extensions must be removed from affected systems. Endpoint monitoring should shift from file-based scanning to behavioral detection, utilizing EDR telemetry and memory scanning techniques to identify and mitigate threats effectively.