DeepLoad malware uses ClickFix, AI obfuscation, and WMI persistence
Malware Activity
Summary
Hide ▲
Show ▼
The DeepLoad malware family is actively using ClickFix lures and AI-generated obfuscation to steal enterprise credentials from Windows systems, increasing the risk of account takeover. It hides in a Windows lock screen process and uses WMI persistence so it can reinfect hosts after removal. Researchers also saw evidence of USB propagation, which could spread the malware to additional victims.
Related Happenings
DeepLoad credential-stealing malware activity with WMI persistence
Malware Activity
First: 31.03.2026 00:25
Last: 31.03.2026 00:25
Sources 1
About this happening:
The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
DeepLoad credential-stealing malware activity with WMI persistence
Malware ActivityAbout this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
DeepLoad ClickFix loader with browser-credential theft and WMI reinfection
Malware Activity
First: 30.03.2026 18:47
Last: 30.03.2026 18:47
Sources 1
About this happening:
The **DeepLoad** malware loader now uses **ClickFix** delivery to compromise Windows hosts, raising the risk of credential theft and reinfection. It abuses **mshta.exe**, obfuscat...
DeepLoad ClickFix loader with browser-credential theft and WMI reinfection
Malware ActivityAbout this happening: The **DeepLoad** malware loader now uses **ClickFix** delivery to compromise Windows hosts, raising the risk of credential theft and reinfection. It abuses **mshta.exe**, obfuscat...
ClickFix fake CAPTCHA campaign delivering Amatera
Campaign
First: 26.01.2026 23:42
Last: 26.01.2026 23:42
Sources 1
About this happening:
A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
ClickFix fake CAPTCHA campaign delivering Amatera
CampaignAbout this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
Timeline
-
30.03.2026 15:00 2 articles · 1mo ago
DeepLoad malware uses ClickFix, AI obfuscation, and WMI persistence
Initial DisclosureDeepLoad first emerged in **February** as a credential-stealing malware family distributed through dark web marketplaces. Its early phase focused on **cryptocurrency wallets**, before the targeting broadened to **enterprise credentials** and persistent reinfection.
Show sources
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00
- DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection — www.infosecurity-magazine.com — 30.03.2026 15:00