DeepLoad malware campaign leverages AI-generated obfuscation and ClickFix for persistent credential theft
Summary
Hide ▲
Show ▼
A malicious campaign named DeepLoad is actively targeting enterprise networks to steal user credentials and maintain persistent access. The malware employs social engineering via ClickFix to trick users into executing malicious commands, often delivered through compromised websites or SEO-poisoned search results. DeepLoad hides its functional payload within layers of AI-generated obfuscation code, evading file-based detection. It leverages Windows lock screen processes and abuses Windows Management Instrumentation (WMI) to achieve persistence, re-infecting systems three days after initial removal. The campaign also spreads via USB drives, increasing lateral movement potential. Impact includes unauthorized access to enterprise accounts, potential data exfiltration, and sustained foothold in compromised networks.
Timeline
-
30.03.2026 15:00 1 articles · 3h ago
DeepLoad malware campaign expands targeting to enterprise credentials with AI-enhanced evasion
First observed in dark web markets in February 2026 as a cryptocurrency wallet stealer, DeepLoad has since evolved to target enterprise credentials. The campaign now employs AI-generated obfuscation within its payload, ClickFix social engineering, and WMI-based persistence mechanisms. The malware’s adaptive nature and lateral movement via USB drives indicate an ongoing, active threat requiring immediate defensive measures.
Show sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00
Information Snippets
-
DeepLoad malware campaign combines ClickFix social engineering with AI-generated obfuscation to steal enterprise credentials and achieve persistence.
First reported: 30.03.2026 15:001 source, 1 articleShow sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00
-
Attackers use compromised websites or SEO-poisoned search results to deliver malicious links or files, often disguised as work-related downloads.
First reported: 30.03.2026 15:001 source, 1 articleShow sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00
-
The functional payload is embedded within meaningless variable assignments generated via AI, making static detection difficult.
First reported: 30.03.2026 15:001 source, 1 articleShow sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00
-
DeepLoad hides within Windows lock screen processes and abuses WMI to maintain persistence, re-infecting systems three days after removal.
First reported: 30.03.2026 15:001 source, 1 articleShow sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00
-
The malware propagates via USB drives, enabling lateral movement to new systems.
First reported: 30.03.2026 15:001 source, 1 articleShow sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00
-
Initial targeting focused on cryptocurrency wallets, but has since expanded to enterprise credentials.
First reported: 30.03.2026 15:001 source, 1 articleShow sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00