Researchers found a new campaign that uses the ClickFix social engineering lure to run an undocumented loader called DeepLoad, which leverages AI-assisted obfuscation, in-memory APC injection, and immediate credential theft to evade static detection. DeepLoad hides inside legitimate Windows processes (e.g., LockAppHost.exe), compiles randomized temporary DLLs via Add-Type, uses WMI for stealthy reinfection and removable-media propagation, and a related campaign distributes Kiss Loader leading to Venom RAT deployment. #DeepLoad #KissLoader
Keypoints
- ClickFix lure tricks users into pasting PowerShell into the Run dialog, using mshta.exe to launch an obfuscated PowerShell loader.
- DeepLoad uses AI-assisted obfuscation, meaningless variable assignments, and disables PowerShell history to avoid static and behavioral detection.
- The loader compiles randomized in-memory DLLs with Add-Type and uses APC injection to execute payloads inside trusted processes like LockAppHost.exe.
- DeepLoad steals browser credentials, installs a persistent malicious browser extension, spreads via renamed USB shortcuts, and can reinfect hosts via WMI event subscriptions.
- A separate campaign distributes Kiss Loader via Internet Shortcut attachments, which ultimately deploys Venom RAT/AsyncRAT using similar APC injection and persistence techniques.
Read More: https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html