A newly uncovered malware campaign is combining ClickFix delivery with AI generated evasion techniques to steal enterprise user accounts and passwords. The attacks are designed to provide intruders with persistent, credential-stealing access to networks, complete with a hidden mechanism which enables the malware to reactivate itself following an attempted removal.
The DeepLoad malware campaign has been detailed by ReliaQuest, who, according to ReliaQuest, warned that it represents an “immediate” threat to businesses. DeepLoad appears to have first emerged on dark web marketplaces in February, originally focused on stealing cryptocurrency wallets, with the additional focus on enterprise credentials suggesting its targeting has become more wide-ranging.
As part of the campaign, the attackers’ harness ClickFix, a social engineering technique which tricks users into running malicious commands on their own machines, with researchers noting that initial activity was likely initiated via a compromised website or SEO-poisoned search result.
The malware hides inside a Windows lock screen process and uses a hidden persistence mechanism which abuses Windows Management Instrumentation to re-infect three days after removal, enabling continued theft of passwords and session tokens.