Researchers at ReliaQuest have identified a new malware strain called DeepLoad that steals credentials immediately upon infection using a standalone stealer and a malicious browser extension. The malware is distributed via ClickFix social engineering and uses AI-generated junk code to evade static analysis tools. Its payload is injected into the legitimate Windows process LockAppHost.exe, and it establishes persistence via WMI event subscriptions that can re-execute the attack days after apparent remediation. DeepLoad also spreads to connected USB drives within minutes. Standard cleanup is insufficient; organizations must audit WMI subscriptions, enable PowerShell Script Block Logging, and rotate all credentials from affected systems.
Sort: