AI-POWERED 'DeepLoad' is a new malware strain that can steal credentials immediately after gaining a foothold on a victim network, capturing both stored browser passwords and live keystrokes through a standalone stealer and a malicious browser extension. The malware’s heavy obfuscation, reportedly generated by AI, and use of process injection help it evade detection, while a persistence mechanism allows it to re-execute even after the host appears clean.
DeepLoad distributes via the ClickFix social engineering technique, and a separate credential stealer process, filemanager[.]exe, can exfiltrate data even if the main loader is blocked, according to ReliaQuest. The browser extension drops with the loader and can capture credentials in real time as users type, persisting across browser sessions until removed.
In the ReliaQuest campaign, the malware also spread to connected USB drives within 10 minutes of infection, writing more than 40 files disguised as installers to the USB drive. Remediation is not straightforward; devices should audit and remove WMI subscriptions, enable PowerShell Script Block Logging and behavioural endpoint monitoring, and change all credentials associated with the compromised system, including active session tokens. 30 March 2026