DeepLoad credential-stealing malware activity with WMI persistence
Malware Activity
Summary
Hide ▲
Show ▼
The DeepLoad malware strain is stealing credentials immediately after infection, exposing stored browser passwords, live keystrokes, and active accounts in enterprise Windows environments. It uses ClickFix social engineering, mshta.exe, and a malicious browser extension to reach victims and capture data. The malware also adds WMI persistence, allowing it to re-run after partial cleanup. It can spread to connected USB drives as part of the same intrusion pattern, increasing reinfection risk.
Related Happenings
ClickFix attacks with PySoxy scheduled-task persistence
Malware Activity
First: 12.05.2026 15:00
Last: 12.05.2026 15:00
Sources 1
About this happening:
Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
ClickFix attacks with PySoxy scheduled-task persistence
Malware ActivityAbout this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
DeepLoad ClickFix loader with browser-credential theft and WMI reinfection
Malware Activity
First: 30.03.2026 18:47
Last: 30.03.2026 18:47
Sources 1
About this happening:
The **DeepLoad** malware loader now uses **ClickFix** delivery to compromise Windows hosts, raising the risk of credential theft and reinfection. It abuses **mshta.exe**, obfuscat...
DeepLoad ClickFix loader with browser-credential theft and WMI reinfection
Malware ActivityAbout this happening: The **DeepLoad** malware loader now uses **ClickFix** delivery to compromise Windows hosts, raising the risk of credential theft and reinfection. It abuses **mshta.exe**, obfuscat...
DeepLoad malware uses ClickFix, AI obfuscation, and WMI persistence
Malware Activity
First: 30.03.2026 15:00
Last: 30.03.2026 15:00
Sources 1
About this happening:
The **DeepLoad** malware family is actively using **ClickFix** lures and **AI-generated obfuscation** to steal **enterprise credentials** from **Windows** systems, increasing the...
DeepLoad malware uses ClickFix, AI obfuscation, and WMI persistence
Malware ActivityAbout this happening: The **DeepLoad** malware family is actively using **ClickFix** lures and **AI-generated obfuscation** to steal **enterprise credentials** from **Windows** systems, increasing the...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware Activity
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware ActivityAbout this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
Latest development: 10.05.2026 20:52
A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.
Timeline
-
31.03.2026 00:25 2 articles · 1mo ago
ReliaQuest discloses DeepLoad credential-stealing malware
Initial DisclosureReliaQuest disclosed DeepLoad, a Windows credential-stealing malware strain distributed through ClickFix social engineering in enterprise environments. The loader runs a standalone stealer named filemanager.exe, uses mshta.exe and a heavily obfuscated PowerShell loader, injects into LockAppHost.exe, captures stored browser passwords and live keystrokes through a malicious browser extension, and disables PowerShell command history. The investigation also found WMI event-subscription persistence that can re-run after cleanup, plus decoy Chrome setup files, Firefox installers, and AnyDesk shortcuts written to connected USB drives within 10 minutes of infection, and advised removing WMI subscriptions, enabling PowerShell Script Block Logging, and using behavioral endpoint monitoring.
Show sources
- AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection — www.darkreading.com — 31.03.2026 00:25
- AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection — www.darkreading.com — 31.03.2026 00:25