DeepLoad Malware Combines ClickFix With AI-Generated Code to Evade Detection
A new malware campaign called DeepLoad uses ClickFix social engineering and AI-generated obfuscation to steal enterprise credentials, with a WMI-based persistence mechanism that re-infects systems three days after removal.
Researchers at ReliaQuest have uncovered a sophisticated new malware campaign dubbed DeepLoad that combines ClickFix social engineering with AI-generated code obfuscation to steal enterprise credentials. The malware, detailed on March 30, represents an immediate threat to businesses, according to the researchers.
DeepLoad first appeared on dark web marketplaces in February, initially targeting cryptocurrency wallets. However, the campaign has since expanded to focus on enterprise accounts and passwords, indicating a broader targeting strategy. The attackers use ClickFix, a social engineering technique that tricks users into running malicious commands on their own machines, likely initiated through compromised websites or SEO-poisoned search results.
To evade detection, DeepLoad buries its functional payload within meaningless variable assignments, making it difficult for file-based scanning tools to identify. The sheer volume of padding code suggests AI-assisted generation, allowing attackers to quickly produce and regularly alter the obfuscation layer. This means organizations should expect frequent updates to the malware and less time to adapt detection coverage between waves.
The malware hides inside a Windows lock screen process, an area not regularly scanned by security tools, making endpoint compromise harder to spot. DeepLoad abuses Windows Management Instrumentation (WMI) for persistence, and if the initial payload is detected and removed, it re-infects the machine three days later, re-establishing the ability to steal passwords and session tokens. Additionally, DeepLoad can propagate via USB drives, potentially spreading to new victims.
To defend against DeepLoad, ReliaQuest recommends enabling PowerShell Script Block Logging, auditing WMI subscriptions on exposed hosts, and changing user passwords after an infection. The researchers emphasize that coverage needs to be behavior-based and built for fast iteration, as DeepLoad will adapt as defenders close gaps.
The use of AI-generated code for obfuscation marks a significant evolution in malware development, lowering the barrier for attackers to create evasive payloads. This trend, combined with social engineering techniques like ClickFix, underscores the need for organizations to adopt advanced detection strategies that focus on behavior rather than static signatures.