Researchers have identified a new malware loader named DeepLoad, which is distributed through the ClickFix social engineering tactic. The attack chain begins with a fake technical support prompt that tricks users into executing PowerShell commands via the Windows Run dialog. DeepLoad utilizes AI-assisted obfuscation to bypass static scanning and employs advanced techniques such as APC injection and the PowerShell 'Add-Type' feature to compile C# code on the fly, effectively evading file-based detection by hiding within legitimate Windows processes like LockAppHost.exe.
Beyond its stealth capabilities, DeepLoad focuses on credential harvesting through browser password extraction and a malicious browser extension that intercepts login data in real-time. It also features worm-like behavior by spreading via removable USB drives and maintains long-term persistence through Windows Management Instrumentation (WMI) event subscriptions. Additionally, the report highlights Kiss Loader, a separate Python-based loader that delivers Venom RAT through complex phishing chains involving Windows Internet Shortcut files and TryCloudflare-hosted resources.
Top comments (0)