CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DeepLoad malware campaign leverages AI-generated obfuscation and ClickFix for persistent credential theft

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A malicious campaign named DeepLoad is actively targeting enterprise networks to steal user credentials and maintain persistent access. The malware combines social engineering via ClickFix to trick users into executing PowerShell commands through the Windows Run dialog, leveraging compromised websites or SEO-poisoned search results for delivery. DeepLoad hides its functional payload within layers of AI-generated obfuscation code within meaningless variable assignments, evading file-based detection. It leverages Windows lock screen processes via 'LockAppHost.exe' and abuses Windows Management Instrumentation (WMI) to achieve persistence, automatically re-infecting systems three days after initial removal without additional user or attacker action. The campaign spreads via USB drives within minutes of infection, deploying decoy shortcut files such as 'ChromeSetup.lnk' and 'Firefox Installer.lnk' to enable lateral movement. DeepLoad deploys a standalone credential stealer ('filemanager.exe') that exfiltrates stored browser passwords and a malicious browser extension to intercept real-time keystrokes during login sessions. Impact includes unauthorized access to enterprise accounts, potential data exfiltration, and sustained foothold in compromised networks despite apparent cleanup efforts.

Timeline

  1. 30.03.2026 15:00 3 articles · 1d ago

    DeepLoad malware campaign expands targeting to enterprise credentials with AI-enhanced evasion

    New research from ReliaQuest confirms DeepLoad steals credentials immediately upon gaining a foothold, capturing stored browser passwords and real-time keystrokes via a standalone stealer ('filemanager.exe') and a malicious browser extension that persists across sessions. The loader contains thousands of lines of AI-generated junk code designed to overwhelm static scanning tools, with its functional code unpacked entirely in memory during execution. Payload injection occurs into 'LockAppHost.exe' using a short decryption routine, while PowerShell's Add-Type feature compiles a temporary DLL with randomized filenames in the Temp directory for each execution to evade file-based detection. Additionally, the malware disables PowerShell command history to obscure its activities. Within minutes of initial infection, DeepLoad propagates to connected USB drives, writing over 40 disguised files including Chrome setup files, Firefox installers, and AnyDesk shortcuts to enable lateral movement. USB propagation may be campaign-specific rather than a built-in feature of DeepLoad. Standard remediation efforts are insufficient due to WMI-based persistence that re-executes the attack three days after cleanup; organizations are advised to audit and remove WMI event subscriptions, enable PowerShell Script Block Logging, and change all associated credentials during remediation. The obfuscation's AI generation suggests future evolution toward environment-tailored padding, complicating behavioral baselining.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Torg Grabber infostealer expands to 850 browser extensions including 728 crypto wallets

A new info-stealing malware family named Torg Grabber has been identified targeting 850 browser extensions, with over 700 focused on cryptocurrency wallets. Initial access is achieved via the ClickFix technique, involving clipboard hijacking and user tricked into executing malicious PowerShell commands. The malware rapidly evolves, with 334 unique samples compiled in three months and weekly registration of new command-and-control (C2) servers. Torg Grabber employs advanced anti-analysis, multi-layered obfuscation, direct syscalls, and reflective loading to evade detection. It exfiltrates data over HTTPS via Cloudflare, supports chunked uploads, and includes mechanisms to bypass browser cookie protection. The malware targets credentials, cookies, autofill data, and files from 25 Chromium-based browsers and 8 Firefox variants, alongside a wide range of applications including password managers, 2FA tools, messaging platforms, VPNs, and desktop crypto wallets.

Open in new tab

Hive0163 Deploys AI-Assisted Slopoly Malware for Persistent Access

Hive0163, a financially motivated threat actor, has been observed using a new AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks. The malware, discovered in early 2026, is part of a command-and-control (C2) framework and was deployed during the post-exploitation phase of an attack. Slopoly is believed to have been developed with the help of a large language model (LLM), although it lacks advanced polymorphic capabilities. The malware functions as a backdoor, beaconing system information to a C2 server and executing commands. Hive0163 is also known for using other malicious tools like NodeSnake, Interlock RAT, and JunkFiction loader in their operations. The attack leveraged the ClickFix social engineering tactic to trick victims into running a PowerShell command. Hive0163 uses initial access brokers like TA569 and TAG-124 for establishing a foothold. The Interlock ransomware payload is a 64-bit Windows executable delivered via the JunkFiction loader, and Hive0163 may have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.

Open in new tab

TikTok Videos Distribute Infostealers via ClickFix Attacks

Cybercriminals are using TikTok videos to distribute information-stealing malware through ClickFix attacks. The videos, disguised as activation guides for popular software like Windows, Spotify, and Netflix, trick users into executing malicious PowerShell commands. These commands download and execute Aura Stealer malware, which steals credentials, cookies, and cryptocurrency wallets. The campaign has been ongoing and is similar to one observed by Trend Micro in May 2025.

Open in new tab

COLDRIVER APT Group Uses ClickFix Tactics to Deliver BAITSWITCH and SIMPLEFIX Malware

The COLDRIVER APT group, also known as Star Blizzard, has intensified its operations since May 2025, rapidly developing and refining its malware arsenal. The group has launched a new campaign using ClickFix tactics to deliver three new malware families: NOROBOT, YESROBOT, and MAYBEROBOT. These malware families are connected via a delivery chain and target individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. The attack chain involves tricking victims into running a malicious DLL via a fake CAPTCHA check, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server. The campaign aligns with COLDRIVER's known victimology, focusing on civil society members connected to Russia. The group has been active since 2019, using spear-phishing and custom tools like SPICA and LOSTKEYS. The latest campaign demonstrates the group's continued use of effective infection vectors, despite their lack of technical sophistication. The malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. The COLDRIVER group has been deploying the new malware set more aggressively than any previous campaigns. The new malware set replaces the previous primary malware LOSTKEYS, which has not been observed since its public disclosure in May 2025. The attack starts with a 'ClickFix-style' phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re 'not a robot'. The malware uses a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry. The malware fetches a self-extracting Python 3.8 installer, two encrypted Python scripts, and a scheduled task to ensure persistence. The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server. The COLDRIVER group abandoned YESROBOT after just two weeks due to its cumbersome and easily detectable nature. The COLDRIVER group switched to MAYBEROBOT, a more flexible PowerShell-based backdoor, around June 2025. MAYBEROBOT uses a custom C2 protocol with commands to download and execute files, run commands via cmd.exe, and execute PowerShell blocks. The COLDRIVER group has been constantly evolving the NOROBOT malware to evade detection systems. The group has been using the NOROBOT and MAYBEROBOT malware families on targets previously compromised through phishing to acquire additional intelligence value from information on their devices directly. The PhantomCaptcha campaign targeted Ukrainian regional government administration and organizations critical for the war relief effort, including the International Committee of the Red Cross, UNICEF, and various NGOs. The campaign began on October 8, 2025, and used a malicious "I am not a robot" CAPTCHA challenge to execute a PowerShell command, installing malware on victims' systems. The malware operated in three stages: a downloader script, a reconnaissance module, and a WebSocket-based RAT. The campaign's infrastructure was active for just one day, with backend servers remaining online to manage infected devices. The PhantomCaptcha campaign is linked to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storage services. The latest incidents were reported in May and June 2025 by two organizations, including Reporters Without Borders (RSF). The group is known for impersonating trusted contacts and prompting targets to request missing or malfunctioning attachments. In one case involving RSF in March 2025, a ProtonMail address mimicking a legitimate contact sent a French-language email asking a core member to review a document. No file was attached. When the member requested it, the operators replied in English with a link routed through a compromised website to a ProtonDrive URL. However, the file itself could not be retrieved because ProtonMail had blocked the associated account. A second victim received a file labeled as a PDF that was actually a ZIP archive disguised with a .pdf extension. The final stage of the attack used a typical Calisto decoy PDF that claimed to be encrypted and instructed the user to open it in ProtonDrive. The link again sent the target through a redirector hosted on a compromised website. The phishing kit analyzed by TDR, located on account.simpleasip[.]org, appeared to be custom built. It targeted ProtonMail accounts using an Adversary-in-the-Middle (AiTM) setup that relays two-factor authentication (2FA). Analysts found injected JavaScript designed to keep the cursor locked to the password field and to interact with an attacker-controlled API for handling CAPTCHA and 2FA prompts. Star Blizzard's infrastructure included servers hosting phishing pages and others serving as API endpoints. Many domains were tied to Namecheap services, while some earlier ones were registered via Regway to help analysts track the cluster over time.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

Microsoft and Malwarebytes have disclosed a **DNS-based ClickFix variant** that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (**84[.]21.189[.]20**), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including **ConsentFix** (Azure CLI OAuth abuse), **CrashFix** (malicious Chrome extensions triggering browser crashes), and **SyncAppvPublishingServer.vbs** (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging **trusted native tools** (`nslookup`), **DNS as a C2 channel**, and **psychological manipulation** (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with **cross-platform targeting** (Windows/Linux/macOS), **AI platform abuse** (ChatGPT, Grok, Claude), and **weaponized SaaS infrastructure** (Google Groups, Pastebin) to distribute payloads like **Lumma Stealer** and **Odyssey Stealer**. The integration of **DNS staging**, **browser-native execution**, and **multi-stage loaders** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via **social engineering**, **steganography**, and **legitimate service abuse**.

Open in new tab