DEEPLOAD is a recently identified malware loader that uses the ClickFix social engineering tactic to deliver a PowerShell-based payload, with ReliaQuest describing it as a campaign that blends AI-assisted obfuscation and process injection to evade static scanning while stealing credentials. The attack chain starts when a user is tricked into pasting a PowerShell command into the Windows Run dialog under a false address, after which mshta[.]exe downloads and runs an obfuscated loader.
DeepLoad hides its functionality within meaningless variable assignments and uses a legitimate Windows process, LockAppHost[.]exe, to blend in with normal activity, while also disabling PowerShell command history and launching processes through native Windows API calls to dodge monitoring. It further evades detection by generating a temporary DLL via Add-Type in PowerShell and writing it to the Temp directory with a random name, thereby bypassing filename-based checks.
In addition to credential theft from browsers, the malware drops a malicious browser extension and can automatically detect removable media to replicate itself with names like ChromeSetup[.]lnk and Firefox Installer[.]lnk; it also uses Windows Management Instrumentation (WMI) to reinfect a clean host days later, creating a stealthy event subscription to re-execute the attack, according to ReliaQuest.