Close Menu
    What's Hot

    Why Apple Sued OpenAI, New York Takes on Data Centers, and What to Know about Cyclosporiasis

    Elbridge Colby Exposes Trump’s America First Contradiction

    Republican Rifts Deepen Over $95 Billion Budget Plan for Iran War and SAVE Act

    Facebook X (Twitter) Instagram
    Trending
    • Why Apple Sued OpenAI, New York Takes on Data Centers, and What to Know about Cyclosporiasis
    • Elbridge Colby Exposes Trump’s America First Contradiction
    • Republican Rifts Deepen Over $95 Billion Budget Plan for Iran War and SAVE Act
    • In Canada, Wildfires Are Burning Through the Night. Firefighters Are Running Out of Time.
    • Ilhan Omar renews push for US to join ICC amid Trump pressure | Courts News
    • Salad Chains Are Seeing Foot Traffic Drop Over Cyclosporiasis Fears
    • Russian strikes threaten Ukraine’s Black Sea grain trade
    • The agent security gap: 54% of enterprises have already had an AI agent incident, and most still let agents share credentials
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

    adminBy adminMarch 30, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananMar 30, 2026Threat Intelligence / Browser Security

    DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

    A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad.

    “It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked,” ReliaQuest researchers Thassanai McCabe and Andrew Currie said in a report shared with The Hacker News.

    The starting point of the attack chain is a ClickFix lure that tricks users into running PowerShell commands by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent issue. This, in turn, uses “mshta.exe,” a legitimate Windows utility to download and run an obfuscated PowerShell loader.

    The loader, for its part, has been found to conceal its actual functionality among meaningless variable assignments, likely in an attempt to deceive security tools. It’s assessed that the threat actors relied on an artificial intelligence (AI) tool to develop the obfuscation layer.

    Cybersecurity

    DeepLoad makes deliberate efforts to blend in with regular Windows activity and fly under the radar. This includes hiding the payload within an executable named “LockAppHost.exe,” a legitimate Windows process that manages the lock screen.

    In addition, the malware covers up its own tracks by disabling PowerShell command history and invoking native Windows core functions directly instead of relying on PowerShell’s built-in commands to launch processes and modify memory. In doing so, it bypasses common monitoring hooks that keep tabs on PowerShell-based activity.

    “To evade file-based detection, DeepLoad generates a secondary component on the fly by using the built-in PowerShell feature Add-Type, which compiles and runs code written in C#,” ReliaQuest said. “This produces a temporary Dynamic Link Library (DLL) file dropped into the user’s Temp directory.”

    This offers a way for the malware to sidestep file name-based detections, as the DLL is compiled every time it’s executed and written with a randomized file name.

    Another notable defense evasion tactic adopted by DeepLoad is the use of asynchronous procedure call (APC) injection to run the main payload inside a trusted Windows process without a decoded payload written to disk after launching the target process in a suspended state, writing shellcode into its memory, and then resuming the execution of the process.

    DeepLoad is designed to facilitate credential theft by extracting browser passwords from the host. It also drops a malicious browser extension that intercepts credentials as they are being entered on login pages and persists across user sessions unless it’s explicitly removed.

    A more dangerous feature of the malware is its ability to automatically detect when removable media devices like USB drives are connected and copy the malware-laced files using names like “ChromeSetup.lnk,” “Firefox Installer.lnk,” and “AnyDesk.lnk” so as to trigger the infection once it’s doubled-clicked.

    “DeepLoad used Windows Management Instrumentation (WMI) to reinfect a ‘clean’ host three days later with no user action and no attacker interaction,” ReliaQuest explained. “WMI served two purposes: It broke the parent-child process chains most detection rules are built to catch, and it created a WMI event subscription that quietly re-executed the attack later.”

    The goal, it appears, is to deploy multi-purpose malware that can perform malicious actions across the cyber kill chain and sidestep detection by security controls by avoiding writing artifacts to disk, blending into Windows processes, and spreading quickly to other machines.

    Cybersecurity

    The disclosure comes as G DATA detailed another malware loader dubbed Kiss Loader that’s distributed through Windows Internet Shortcut files (URL) attached to phishing emails, which then connects to a remote WebDAV resource hosted on a TryCloudflare domain to serve a secondary shortcut that masquerades as a PDF document.

    Once executed, the shortcut launches a WSH script responsible for running a JavaScript component, which proceeds to retrieve and execute a batch script that displays a decoy PDF, sets up persistence in the Startup folder, and downloads the Python-based Kiss Loader. In the final stage, the loader decrypts and runs Venom RAT, an AsyncRAT variant, using APC injection.

    It’s currently not known how widespread attacks deploying Kiss Loader are, and if it’s being offered under a malware-as-a-service (MaaS) model. That said, the threat actor behind the loader claims to be from Malawi.

    Browser ClickFix Credentials DeepLoad Malware Persistence steal WMI
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleSome airport wait times improve as TSA workers start to get paid
    Next Article Meta is testing an Instagram Plus subscription service with exclusive features
    admin
    • Website

    Related Posts

    The agent security gap: 54% of enterprises have already had an AI agent incident, and most still let agents share credentials

    July 16, 2026

    New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

    July 16, 2026

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Why Apple Sued OpenAI, New York Takes on Data Centers, and What to Know about Cyclosporiasis

    Elbridge Colby Exposes Trump’s America First Contradiction

    Republican Rifts Deepen Over $95 Billion Budget Plan for Iran War and SAVE Act

    In Canada, Wildfires Are Burning Through the Night. Firefighters Are Running Out of Time.

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by