DeepLoad credential-stealing malware activity with WMI persistence
Malware Activity
Summary
Hide ▲
Show ▼
The DeepLoad malware strain is stealing credentials immediately after infection, exposing stored browser passwords, live keystrokes, and active accounts in enterprise Windows environments. It uses ClickFix social engineering, mshta.exe, and a malicious browser extension to reach victims and capture data. The malware also adds WMI persistence, allowing it to re-run after partial cleanup. It can spread to connected USB drives as part of the same intrusion pattern, increasing reinfection risk.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware Activity
H score22
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware Activity
H score27
First: 18.06.2026 19:20
Last: 18.06.2026 19:20
Sources 1
About this happening:
A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware ActivityAbout this happening: A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignAbout this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
H score40
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityAbout this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
Timeline
-
31.03.2026 00:25 3 articles · 3mo ago
ReliaQuest discloses DeepLoad credential-stealing malware
Initial DisclosureReliaQuest disclosed DeepLoad, a Windows credential-stealing malware strain distributed through ClickFix social engineering in enterprise environments. The loader runs a standalone stealer named filemanager.exe, uses mshta.exe and a heavily obfuscated PowerShell loader, injects into LockAppHost.exe, captures stored browser passwords and live keystrokes through a malicious browser extension, and disables PowerShell command history. The investigation also found WMI event-subscription persistence that can re-run after cleanup, plus decoy Chrome setup files, Firefox installers, and AnyDesk shortcuts written to connected USB drives within 10 minutes of infection, and advised removing WMI subscriptions, enabling PowerShell Script Block Logging, and using behavioral endpoint monitoring.
Show sources
- AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection — www.darkreading.com — 31.03.2026 00:25
- AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection — www.darkreading.com — 31.03.2026 00:25
- ClickFix Now Cybercriminals' Favorite Malware Delivery Technique — www.infosecurity-magazine.com — 30.06.2026 15:00