Find notable cyber news and cases, enriched with sources, timelines, and signals.

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
First reported
Last updated
Happening score
H score 30
2 unique sources, 2 articles

Summary

Hide ▲

The DeepLoad malware strain is stealing credentials immediately after infection, exposing stored browser passwords, live keystrokes, and active accounts in enterprise Windows environments. It uses ClickFix social engineering, mshta.exe, and a malicious browser extension to reach victims and capture data. The malware also adds WMI persistence, allowing it to re-run after partial cleanup. It can spread to connected USB drives as part of the same intrusion pattern, increasing reinfection risk.

Related Happenings

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...

Mistic backdoor deployment via ClickFix and DLL side-loading

Malware Activity
H score22 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...

USB-spreading clipboard-stealing malware targeting cryptocurrency wallets

Malware Activity
H score27 First: 18.06.2026 19:20 Last: 18.06.2026 19:20 Sources 1

About this happening: A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...

Windows cryptocurrency clipper campaign targeting users via USB LNK worms

Campaign
H score32 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...

Timeline

  1. 31.03.2026 00:25 3 articles · 3mo ago

    ReliaQuest discloses DeepLoad credential-stealing malware

    Initial Disclosure

    ReliaQuest disclosed DeepLoad, a Windows credential-stealing malware strain distributed through ClickFix social engineering in enterprise environments. The loader runs a standalone stealer named filemanager.exe, uses mshta.exe and a heavily obfuscated PowerShell loader, injects into LockAppHost.exe, captures stored browser passwords and live keystrokes through a malicious browser extension, and disables PowerShell command history. The investigation also found WMI event-subscription persistence that can re-run after cleanup, plus decoy Chrome setup files, Firefox installers, and AnyDesk shortcuts written to connected USB drives within 10 minutes of infection, and advised removing WMI subscriptions, enabling PowerShell Script Block Logging, and using behavioral endpoint monitoring.

    Show sources