{"id":11739,"date":"2026-03-31T10:04:59","date_gmt":"2026-03-31T10:04:59","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/31\/new-deepload-malware-uses-clickfix-and-ai-generated-evasion-to-breach-enterprise-networks\/"},"modified":"2026-03-31T10:04:59","modified_gmt":"2026-03-31T10:04:59","slug":"new-deepload-malware-uses-clickfix-and-ai-generated-evasion-to-breach-enterprise-networks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/31\/new-deepload-malware-uses-clickfix-and-ai-generated-evasion-to-breach-enterprise-networks\/","title":{"rendered":"New DeepLoad Malware Uses ClickFix and AI-Generated Evasion to Breach Enterprise Networks"},"content":{"rendered":"<p>    New DeepLoad Malware Uses ClickFix and AI-Generated Evasion to Breach Enterprise Networks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A newly discovered malware named DeepLoad is targeting enterprise environments, turning a single user action into persistent, credential-stealing access that survives reboots and outlasts standard cleanup efforts. <\/p>\n<p>What sets this campaign apart is how every stage of the attack was deliberately built to defeat the security controls that most organizations already depend on.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/1e46a6c4-7a4c-4640-9df1-1d8496756cef\/New-DeepLoad-Malware-Uses-ClickFix-and-AI-Generated-Evasion-to-Breach-Enterprise-Networks.pdf?AWSAccessKeyId=ASIA2F3EMEYESKWFTEB7&amp;Signature=wY7LYZhdi3FaizHcsbAGlSlBzAg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHAaCXVzLWVhc3QtMSJHMEUCIDhWU7JJL4FkAIl79tOA%2BHAGZ0IFq%2FogsHm8%2B9CNIIDSAiEA89Kmg5nN8ImvenDzYHT7CUTGSJutb4uHWkClwWgWWQYq8wQIOBABGgw2OTk3NTMzMDk3MDUiDGxNuRKX%2F3ATI9AARSrQBBGWYButB%2BTpsL5Z1EcSTbpqhwUqvJQFac5YkPztxWEmvsEyyTx81txyRbd20Cj1pDlSEXUyVU%2FwCa%2FlcNwiOdspp6Q0Q7HTIvGr2rd5%2Ba%2FmYjiMuPjxBSsX5B%2F8QTgMAO%2FnDCue3LdlPz%2FnR%2BWotDEWlho0lLvqS0Y60j6R%2BfG1BfK4AHXuSaNW6BSDudcXW%2B9tIyklj4ggx8t5UrnQNkKLfYRxStKlURuHwVFtBDTcgrYP0smIc%2Fn3tMX%2BmBIFV%2FTsdyvCJ%2BPXrWs2QoX2A3eZ9BAHy10T%2Fd7jXZJN8qjnnmk5rfIcLZgMG3McX9G0EaGmRCIzxwg7JoZY5rWQhIUFyZy6HruPvA4R1hkWtDfsrYRLufXnPNIOg1pDJLEcVmQWKqp9e%2B0wcckmtGUkw3T3yfAUIdnQaxP0niywMWeNYvzfqCKaUJc4EtKcBvYe33qNnMiRR2%2BK2esBPQgJx3CCSXEKRiCX6Ja%2Bq5Kuw3f7%2BfZMBIvBSXvilRgCi5STkLVf0Y5y%2Bo8tDT5Q34Lzh%2FFZDo5X2OxpM2%2F1QhYd4Dsr6%2Fh0G9clWT1BY81gEyVnRuXSC2thq%2BJHPL9NVyKU0G2bPlSn32FwgYMx9SInVZbclfm65NfAJ1dJxjx5PQl6IRPYufg4zO2Cf9srLv7yiBz9DpaOlkvzxCDiLLe%2Fvk9r2MQ%2FdRZWSJ5NJs4UeLW3ADN%2Bg6FrBL0BsrHoLPYkNpfCOc77OxlZjtwKJbHN6rv7cwvn%2F7L9MGZ%2BFwNl7oT4JkLCQ0Ssw1PbElsA%2BDzT3Z0wpeutzgY6mAHe6YBuiWrpYdszrcF%2BYoo0PX8StwRj%2FDOOSEBmSvGUoeAAgLl58PCOGxa5gPtR4gqYCkENAd3o4%2FESesOY6MFJwUXhA%2By0kjlLASsh8MBECqsVsjKDWULVbnUcNCoWVWG8cCI0JgLJSpib4D2gS0SGIHs7M2ETomF3Sp7BTwvDK1XxKN7DjtllDM7ByD6CcbhNqU%2Br7%2FJfWw%3D%3D&amp;Expires=1774944347\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>DeepLoad arrives through ClickFix, where attackers display a fake browser error page and instruct employees to paste a PowerShell command into their Windows Run dialog to \u201cfix\u201d it. <\/p>\n<p>That one command creates a scheduled task that re-executes the loader on every reboot and uses mshta.exe, a legitimate Windows utility, to fetch an obfuscated payload from attacker-controlled infrastructure. <\/p>\n<p>The staging domains were already serving malicious content within 22 minutes of going live, giving response teams very little time to act.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/1e46a6c4-7a4c-4640-9df1-1d8496756cef\/New-DeepLoad-Malware-Uses-ClickFix-and-AI-Generated-Evasion-to-Breach-Enterprise-Networks.pdf?AWSAccessKeyId=ASIA2F3EMEYESKWFTEB7&amp;Signature=wY7LYZhdi3FaizHcsbAGlSlBzAg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHAaCXVzLWVhc3QtMSJHMEUCIDhWU7JJL4FkAIl79tOA%2BHAGZ0IFq%2FogsHm8%2B9CNIIDSAiEA89Kmg5nN8ImvenDzYHT7CUTGSJutb4uHWkClwWgWWQYq8wQIOBABGgw2OTk3NTMzMDk3MDUiDGxNuRKX%2F3ATI9AARSrQBBGWYButB%2BTpsL5Z1EcSTbpqhwUqvJQFac5YkPztxWEmvsEyyTx81txyRbd20Cj1pDlSEXUyVU%2FwCa%2FlcNwiOdspp6Q0Q7HTIvGr2rd5%2Ba%2FmYjiMuPjxBSsX5B%2F8QTgMAO%2FnDCue3LdlPz%2FnR%2BWotDEWlho0lLvqS0Y60j6R%2BfG1BfK4AHXuSaNW6BSDudcXW%2B9tIyklj4ggx8t5UrnQNkKLfYRxStKlURuHwVFtBDTcgrYP0smIc%2Fn3tMX%2BmBIFV%2FTsdyvCJ%2BPXrWs2QoX2A3eZ9BAHy10T%2Fd7jXZJN8qjnnmk5rfIcLZgMG3McX9G0EaGmRCIzxwg7JoZY5rWQhIUFyZy6HruPvA4R1hkWtDfsrYRLufXnPNIOg1pDJLEcVmQWKqp9e%2B0wcckmtGUkw3T3yfAUIdnQaxP0niywMWeNYvzfqCKaUJc4EtKcBvYe33qNnMiRR2%2BK2esBPQgJx3CCSXEKRiCX6Ja%2Bq5Kuw3f7%2BfZMBIvBSXvilRgCi5STkLVf0Y5y%2Bo8tDT5Q34Lzh%2FFZDo5X2OxpM2%2F1QhYd4Dsr6%2Fh0G9clWT1BY81gEyVnRuXSC2thq%2BJHPL9NVyKU0G2bPlSn32FwgYMx9SInVZbclfm65NfAJ1dJxjx5PQl6IRPYufg4zO2Cf9srLv7yiBz9DpaOlkvzxCDiLLe%2Fvk9r2MQ%2FdRZWSJ5NJs4UeLW3ADN%2Bg6FrBL0BsrHoLPYkNpfCOc77OxlZjtwKJbHN6rv7cwvn%2F7L9MGZ%2BFwNl7oT4JkLCQ0Ssw1PbElsA%2BDzT3Z0wpeutzgY6mAHe6YBuiWrpYdszrcF%2BYoo0PX8StwRj%2FDOOSEBmSvGUoeAAgLl58PCOGxa5gPtR4gqYCkENAd3o4%2FESesOY6MFJwUXhA%2By0kjlLASsh8MBECqsVsjKDWULVbnUcNCoWVWG8cCI0JgLJSpib4D2gS0SGIHs7M2ETomF3Sp7BTwvDK1XxKN7DjtllDM7ByD6CcbhNqU%2Br7%2FJfWw%3D%3D&amp;Expires=1774944347\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion\/\" id=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ReliaQuest analysts and researchers identified this campaign<\/a> while investigating active enterprise compromises. Their findings showed the full attack chain was built to outpace manual response from the very start. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/credential-theft-risks\/\" id=\"106554\" target=\"_blank\" rel=\"noreferrer noopener\">Credential theft<\/a> begins before the main chain finishes, and the malware spread to USB drives within ten minutes of infection, making the first host unlikely to be the only impacted system.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/1e46a6c4-7a4c-4640-9df1-1d8496756cef\/New-DeepLoad-Malware-Uses-ClickFix-and-AI-Generated-Evasion-to-Breach-Enterprise-Networks.pdf?AWSAccessKeyId=ASIA2F3EMEYESKWFTEB7&amp;Signature=wY7LYZhdi3FaizHcsbAGlSlBzAg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHAaCXVzLWVhc3QtMSJHMEUCIDhWU7JJL4FkAIl79tOA%2BHAGZ0IFq%2FogsHm8%2B9CNIIDSAiEA89Kmg5nN8ImvenDzYHT7CUTGSJutb4uHWkClwWgWWQYq8wQIOBABGgw2OTk3NTMzMDk3MDUiDGxNuRKX%2F3ATI9AARSrQBBGWYButB%2BTpsL5Z1EcSTbpqhwUqvJQFac5YkPztxWEmvsEyyTx81txyRbd20Cj1pDlSEXUyVU%2FwCa%2FlcNwiOdspp6Q0Q7HTIvGr2rd5%2Ba%2FmYjiMuPjxBSsX5B%2F8QTgMAO%2FnDCue3LdlPz%2FnR%2BWotDEWlho0lLvqS0Y60j6R%2BfG1BfK4AHXuSaNW6BSDudcXW%2B9tIyklj4ggx8t5UrnQNkKLfYRxStKlURuHwVFtBDTcgrYP0smIc%2Fn3tMX%2BmBIFV%2FTsdyvCJ%2BPXrWs2QoX2A3eZ9BAHy10T%2Fd7jXZJN8qjnnmk5rfIcLZgMG3McX9G0EaGmRCIzxwg7JoZY5rWQhIUFyZy6HruPvA4R1hkWtDfsrYRLufXnPNIOg1pDJLEcVmQWKqp9e%2B0wcckmtGUkw3T3yfAUIdnQaxP0niywMWeNYvzfqCKaUJc4EtKcBvYe33qNnMiRR2%2BK2esBPQgJx3CCSXEKRiCX6Ja%2Bq5Kuw3f7%2BfZMBIvBSXvilRgCi5STkLVf0Y5y%2Bo8tDT5Q34Lzh%2FFZDo5X2OxpM2%2F1QhYd4Dsr6%2Fh0G9clWT1BY81gEyVnRuXSC2thq%2BJHPL9NVyKU0G2bPlSn32FwgYMx9SInVZbclfm65NfAJ1dJxjx5PQl6IRPYufg4zO2Cf9srLv7yiBz9DpaOlkvzxCDiLLe%2Fvk9r2MQ%2FdRZWSJ5NJs4UeLW3ADN%2Bg6FrBL0BsrHoLPYkNpfCOc77OxlZjtwKJbHN6rv7cwvn%2F7L9MGZ%2BFwNl7oT4JkLCQ0Ssw1PbElsA%2BDzT3Z0wpeutzgY6mAHe6YBuiWrpYdszrcF%2BYoo0PX8StwRj%2FDOOSEBmSvGUoeAAgLl58PCOGxa5gPtR4gqYCkENAd3o4%2FESesOY6MFJwUXhA%2By0kjlLASsh8MBECqsVsjKDWULVbnUcNCoWVWG8cCI0JgLJSpib4D2gS0SGIHs7M2ETomF3Sp7BTwvDK1XxKN7DjtllDM7ByD6CcbhNqU%2Br7%2FJfWw%3D%3D&amp;Expires=1774944347\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The immediate business risk is real. DeepLoad drops a credential stealer called filemanager.exe \u2014 named to blend into any process list \u2014 that runs on its own command-and-control channel and steals data even if the primary loader is blocked. <\/p>\n<p>A malicious <a href=\"https:\/\/cybersecuritynews.com\/zap-owasp-pentest-kit\/\" id=\"140450\" target=\"_blank\" rel=\"noreferrer noopener\">browser extension<\/a> captures passwords and session tokens as users type them, persisting across sessions until removed. The malware also wrote over 40 disguised installer files to connected USB drives, including fake shortcuts for Chrome, Firefox, and AnyDesk, each ready to trigger a full infection on any machine they touch.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/1e46a6c4-7a4c-4640-9df1-1d8496756cef\/New-DeepLoad-Malware-Uses-ClickFix-and-AI-Generated-Evasion-to-Breach-Enterprise-Networks.pdf?AWSAccessKeyId=ASIA2F3EMEYESKWFTEB7&amp;Signature=wY7LYZhdi3FaizHcsbAGlSlBzAg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHAaCXVzLWVhc3QtMSJHMEUCIDhWU7JJL4FkAIl79tOA%2BHAGZ0IFq%2FogsHm8%2B9CNIIDSAiEA89Kmg5nN8ImvenDzYHT7CUTGSJutb4uHWkClwWgWWQYq8wQIOBABGgw2OTk3NTMzMDk3MDUiDGxNuRKX%2F3ATI9AARSrQBBGWYButB%2BTpsL5Z1EcSTbpqhwUqvJQFac5YkPztxWEmvsEyyTx81txyRbd20Cj1pDlSEXUyVU%2FwCa%2FlcNwiOdspp6Q0Q7HTIvGr2rd5%2Ba%2FmYjiMuPjxBSsX5B%2F8QTgMAO%2FnDCue3LdlPz%2FnR%2BWotDEWlho0lLvqS0Y60j6R%2BfG1BfK4AHXuSaNW6BSDudcXW%2B9tIyklj4ggx8t5UrnQNkKLfYRxStKlURuHwVFtBDTcgrYP0smIc%2Fn3tMX%2BmBIFV%2FTsdyvCJ%2BPXrWs2QoX2A3eZ9BAHy10T%2Fd7jXZJN8qjnnmk5rfIcLZgMG3McX9G0EaGmRCIzxwg7JoZY5rWQhIUFyZy6HruPvA4R1hkWtDfsrYRLufXnPNIOg1pDJLEcVmQWKqp9e%2B0wcckmtGUkw3T3yfAUIdnQaxP0niywMWeNYvzfqCKaUJc4EtKcBvYe33qNnMiRR2%2BK2esBPQgJx3CCSXEKRiCX6Ja%2Bq5Kuw3f7%2BfZMBIvBSXvilRgCi5STkLVf0Y5y%2Bo8tDT5Q34Lzh%2FFZDo5X2OxpM2%2F1QhYd4Dsr6%2Fh0G9clWT1BY81gEyVnRuXSC2thq%2BJHPL9NVyKU0G2bPlSn32FwgYMx9SInVZbclfm65NfAJ1dJxjx5PQl6IRPYufg4zO2Cf9srLv7yiBz9DpaOlkvzxCDiLLe%2Fvk9r2MQ%2FdRZWSJ5NJs4UeLW3ADN%2Bg6FrBL0BsrHoLPYkNpfCOc77OxlZjtwKJbHN6rv7cwvn%2F7L9MGZ%2BFwNl7oT4JkLCQ0Ssw1PbElsA%2BDzT3Z0wpeutzgY6mAHe6YBuiWrpYdszrcF%2BYoo0PX8StwRj%2FDOOSEBmSvGUoeAAgLl58PCOGxa5gPtR4gqYCkENAd3o4%2FESesOY6MFJwUXhA%2By0kjlLASsh8MBECqsVsjKDWULVbnUcNCoWVWG8cCI0JgLJSpib4D2gS0SGIHs7M2ETomF3Sp7BTwvDK1XxKN7DjtllDM7ByD6CcbhNqU%2Br7%2FJfWw%3D%3D&amp;Expires=1774944347\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Standard cleanup alone is not enough. A hidden WMI event subscription planted during the initial compromise sits outside standard remediation workflows, leaving the host ready to reinfect itself with no user action required. <\/p>\n<p>In one confirmed case, that subscription fired three days after the host appeared clean and silently dropped filemanager.exe back into the user\u2019s Downloads folder.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/1e46a6c4-7a4c-4640-9df1-1d8496756cef\/New-DeepLoad-Malware-Uses-ClickFix-and-AI-Generated-Evasion-to-Breach-Enterprise-Networks.pdf?AWSAccessKeyId=ASIA2F3EMEYESKWFTEB7&amp;Signature=wY7LYZhdi3FaizHcsbAGlSlBzAg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHAaCXVzLWVhc3QtMSJHMEUCIDhWU7JJL4FkAIl79tOA%2BHAGZ0IFq%2FogsHm8%2B9CNIIDSAiEA89Kmg5nN8ImvenDzYHT7CUTGSJutb4uHWkClwWgWWQYq8wQIOBABGgw2OTk3NTMzMDk3MDUiDGxNuRKX%2F3ATI9AARSrQBBGWYButB%2BTpsL5Z1EcSTbpqhwUqvJQFac5YkPztxWEmvsEyyTx81txyRbd20Cj1pDlSEXUyVU%2FwCa%2FlcNwiOdspp6Q0Q7HTIvGr2rd5%2Ba%2FmYjiMuPjxBSsX5B%2F8QTgMAO%2FnDCue3LdlPz%2FnR%2BWotDEWlho0lLvqS0Y60j6R%2BfG1BfK4AHXuSaNW6BSDudcXW%2B9tIyklj4ggx8t5UrnQNkKLfYRxStKlURuHwVFtBDTcgrYP0smIc%2Fn3tMX%2BmBIFV%2FTsdyvCJ%2BPXrWs2QoX2A3eZ9BAHy10T%2Fd7jXZJN8qjnnmk5rfIcLZgMG3McX9G0EaGmRCIzxwg7JoZY5rWQhIUFyZy6HruPvA4R1hkWtDfsrYRLufXnPNIOg1pDJLEcVmQWKqp9e%2B0wcckmtGUkw3T3yfAUIdnQaxP0niywMWeNYvzfqCKaUJc4EtKcBvYe33qNnMiRR2%2BK2esBPQgJx3CCSXEKRiCX6Ja%2Bq5Kuw3f7%2BfZMBIvBSXvilRgCi5STkLVf0Y5y%2Bo8tDT5Q34Lzh%2FFZDo5X2OxpM2%2F1QhYd4Dsr6%2Fh0G9clWT1BY81gEyVnRuXSC2thq%2BJHPL9NVyKU0G2bPlSn32FwgYMx9SInVZbclfm65NfAJ1dJxjx5PQl6IRPYufg4zO2Cf9srLv7yiBz9DpaOlkvzxCDiLLe%2Fvk9r2MQ%2FdRZWSJ5NJs4UeLW3ADN%2Bg6FrBL0BsrHoLPYkNpfCOc77OxlZjtwKJbHN6rv7cwvn%2F7L9MGZ%2BFwNl7oT4JkLCQ0Ssw1PbElsA%2BDzT3Z0wpeutzgY6mAHe6YBuiWrpYdszrcF%2BYoo0PX8StwRj%2FDOOSEBmSvGUoeAAgLl58PCOGxa5gPtR4gqYCkENAd3o4%2FESesOY6MFJwUXhA%2By0kjlLASsh8MBECqsVsjKDWULVbnUcNCoWVWG8cCI0JgLJSpib4D2gS0SGIHs7M2ETomF3Sp7BTwvDK1XxKN7DjtllDM7ByD6CcbhNqU%2Br7%2FJfWw%3D%3D&amp;Expires=1774944347\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"ai-powered-evasion-and-process-injection\"><strong>AI-Powered Evasion and Process Injection<\/strong><\/h2>\n<p>DeepLoad avoids detection at every layer, making it hard to catch with traditional security tools. Its PowerShell loader is padded with thousands of meaningless variable assignments that make the script appear busy without performing any real work. <\/p>\n<p>The actual logic \u2014 a short XOR decryption routine \u2014 sits at the bottom and decrypts shellcode in memory, so no decoded payload touches disk. <\/p>\n<p>ReliaQuest researchers assessed with high confidence that AI generated this obfuscation layer, meaning new variants can be rebuilt and redeployed quickly before defenders have time to adjust detection coverage.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/1e46a6c4-7a4c-4640-9df1-1d8496756cef\/New-DeepLoad-Malware-Uses-ClickFix-and-AI-Generated-Evasion-to-Breach-Enterprise-Networks.pdf?AWSAccessKeyId=ASIA2F3EMEYESKWFTEB7&amp;Signature=wY7LYZhdi3FaizHcsbAGlSlBzAg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHAaCXVzLWVhc3QtMSJHMEUCIDhWU7JJL4FkAIl79tOA%2BHAGZ0IFq%2FogsHm8%2B9CNIIDSAiEA89Kmg5nN8ImvenDzYHT7CUTGSJutb4uHWkClwWgWWQYq8wQIOBABGgw2OTk3NTMzMDk3MDUiDGxNuRKX%2F3ATI9AARSrQBBGWYButB%2BTpsL5Z1EcSTbpqhwUqvJQFac5YkPztxWEmvsEyyTx81txyRbd20Cj1pDlSEXUyVU%2FwCa%2FlcNwiOdspp6Q0Q7HTIvGr2rd5%2Ba%2FmYjiMuPjxBSsX5B%2F8QTgMAO%2FnDCue3LdlPz%2FnR%2BWotDEWlho0lLvqS0Y60j6R%2BfG1BfK4AHXuSaNW6BSDudcXW%2B9tIyklj4ggx8t5UrnQNkKLfYRxStKlURuHwVFtBDTcgrYP0smIc%2Fn3tMX%2BmBIFV%2FTsdyvCJ%2BPXrWs2QoX2A3eZ9BAHy10T%2Fd7jXZJN8qjnnmk5rfIcLZgMG3McX9G0EaGmRCIzxwg7JoZY5rWQhIUFyZy6HruPvA4R1hkWtDfsrYRLufXnPNIOg1pDJLEcVmQWKqp9e%2B0wcckmtGUkw3T3yfAUIdnQaxP0niywMWeNYvzfqCKaUJc4EtKcBvYe33qNnMiRR2%2BK2esBPQgJx3CCSXEKRiCX6Ja%2Bq5Kuw3f7%2BfZMBIvBSXvilRgCi5STkLVf0Y5y%2Bo8tDT5Q34Lzh%2FFZDo5X2OxpM2%2F1QhYd4Dsr6%2Fh0G9clWT1BY81gEyVnRuXSC2thq%2BJHPL9NVyKU0G2bPlSn32FwgYMx9SInVZbclfm65NfAJ1dJxjx5PQl6IRPYufg4zO2Cf9srLv7yiBz9DpaOlkvzxCDiLLe%2Fvk9r2MQ%2FdRZWSJ5NJs4UeLW3ADN%2Bg6FrBL0BsrHoLPYkNpfCOc77OxlZjtwKJbHN6rv7cwvn%2F7L9MGZ%2BFwNl7oT4JkLCQ0Ssw1PbElsA%2BDzT3Z0wpeutzgY6mAHe6YBuiWrpYdszrcF%2BYoo0PX8StwRj%2FDOOSEBmSvGUoeAAgLl58PCOGxa5gPtR4gqYCkENAd3o4%2FESesOY6MFJwUXhA%2By0kjlLASsh8MBECqsVsjKDWULVbnUcNCoWVWG8cCI0JgLJSpib4D2gS0SGIHs7M2ETomF3Sp7BTwvDK1XxKN7DjtllDM7ByD6CcbhNqU%2Br7%2FJfWw%3D%3D&amp;Expires=1774944347\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Once running, the loader uses PowerShell\u2019s Add-Type feature to compile a fresh C# injector on the fly, producing a randomly named DLL that signature-based tools cannot match. <\/p>\n<p>The malware then selects a trusted Windows process to inject into \u2014 on investigated hosts, it chose LockAppHost.exe, the Windows lock screen process. <\/p>\n<p>Since the LockAppHost.exe does not typically initiate outbound connections, most <a href=\"https:\/\/cybersecuritynews.com\/best-cloud-security-tools\/\" id=\"11635\" target=\"_blank\" rel=\"noreferrer noopener\">security tools<\/a> are not configured to monitor it. <\/p>\n<p>Through asynchronous procedure call (APC) injection, the loader places shellcode into that process\u2019s memory and triggers execution on resume, leaving no decoded payload on disk.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/1e46a6c4-7a4c-4640-9df1-1d8496756cef\/New-DeepLoad-Malware-Uses-ClickFix-and-AI-Generated-Evasion-to-Breach-Enterprise-Networks.pdf?AWSAccessKeyId=ASIA2F3EMEYESKWFTEB7&amp;Signature=wY7LYZhdi3FaizHcsbAGlSlBzAg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHAaCXVzLWVhc3QtMSJHMEUCIDhWU7JJL4FkAIl79tOA%2BHAGZ0IFq%2FogsHm8%2B9CNIIDSAiEA89Kmg5nN8ImvenDzYHT7CUTGSJutb4uHWkClwWgWWQYq8wQIOBABGgw2OTk3NTMzMDk3MDUiDGxNuRKX%2F3ATI9AARSrQBBGWYButB%2BTpsL5Z1EcSTbpqhwUqvJQFac5YkPztxWEmvsEyyTx81txyRbd20Cj1pDlSEXUyVU%2FwCa%2FlcNwiOdspp6Q0Q7HTIvGr2rd5%2Ba%2FmYjiMuPjxBSsX5B%2F8QTgMAO%2FnDCue3LdlPz%2FnR%2BWotDEWlho0lLvqS0Y60j6R%2BfG1BfK4AHXuSaNW6BSDudcXW%2B9tIyklj4ggx8t5UrnQNkKLfYRxStKlURuHwVFtBDTcgrYP0smIc%2Fn3tMX%2BmBIFV%2FTsdyvCJ%2BPXrWs2QoX2A3eZ9BAHy10T%2Fd7jXZJN8qjnnmk5rfIcLZgMG3McX9G0EaGmRCIzxwg7JoZY5rWQhIUFyZy6HruPvA4R1hkWtDfsrYRLufXnPNIOg1pDJLEcVmQWKqp9e%2B0wcckmtGUkw3T3yfAUIdnQaxP0niywMWeNYvzfqCKaUJc4EtKcBvYe33qNnMiRR2%2BK2esBPQgJx3CCSXEKRiCX6Ja%2Bq5Kuw3f7%2BfZMBIvBSXvilRgCi5STkLVf0Y5y%2Bo8tDT5Q34Lzh%2FFZDo5X2OxpM2%2F1QhYd4Dsr6%2Fh0G9clWT1BY81gEyVnRuXSC2thq%2BJHPL9NVyKU0G2bPlSn32FwgYMx9SInVZbclfm65NfAJ1dJxjx5PQl6IRPYufg4zO2Cf9srLv7yiBz9DpaOlkvzxCDiLLe%2Fvk9r2MQ%2FdRZWSJ5NJs4UeLW3ADN%2Bg6FrBL0BsrHoLPYkNpfCOc77OxlZjtwKJbHN6rv7cwvn%2F7L9MGZ%2BFwNl7oT4JkLCQ0Ssw1PbElsA%2BDzT3Z0wpeutzgY6mAHe6YBuiWrpYdszrcF%2BYoo0PX8StwRj%2FDOOSEBmSvGUoeAAgLl58PCOGxa5gPtR4gqYCkENAd3o4%2FESesOY6MFJwUXhA%2By0kjlLASsh8MBECqsVsjKDWULVbnUcNCoWVWG8cCI0JgLJSpib4D2gS0SGIHs7M2ETomF3Sp7BTwvDK1XxKN7DjtllDM7ByD6CcbhNqU%2Br7%2FJfWw%3D%3D&amp;Expires=1774944347\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Security teams should enable PowerShell Script Block Logging, since it captures decoded runtime commands and cuts through obfuscation. <\/p>\n<p>All WMI event subscriptions on affected hosts must be explicitly audited and cleared before any machine returns to production, as a surviving subscription can re-execute the attack days after cleanup. <\/p>\n<p>Every credential reachable from a confirmed infected host \u2014 saved passwords, session tokens, and active accounts \u2014 must be rotated immediately. <\/p>\n<p>All USB drives connected to affected endpoints should be audited before reuse. Browser extensions outside approved IT deployment paths must be removed from affected systems. <\/p>\n<p>Endpoint monitoring should shift from file-based scanning to behavioral, runtime detection using EDR telemetry and memory scanning.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/new-deepload-malware-uses-clickfix\/\">New DeepLoad Malware Uses ClickFix and AI-Generated Evasion to Breach Enterprise Networks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/new-deepload-malware-uses-clickfix\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New DeepLoad Malware Uses ClickFix and AI-Generated Evasion to Breach Enterprise Networks A newly discovered malware named DeepLoad is targeting enterprise environments, turning a single user action into persistent, credential-stealing access that survives reboots and outlasts standard cleanup efforts. What sets this campaign apart is how every stage of the attack was deliberately built to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-11739","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11739"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11739"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11739\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}