New DeepLoad Malware Dropped in ClickFix Attacks

A recently discovered malware family capable of stealing credentials and of intercepting browser interactions has been distributed using the ClickFix technique, ReliaQuest reports. Dubbed DeepLoad, the malware first emerged on a dark web cybercrime forum in early February, when ZeroFox saw it advertised as “a centralized panel for multiple types of malware”. The threat was described as capable of replacing cryptocurrency wallet applications and browser extensions with fake variants, of stealing victims’ credentials, and of installing a fraudulent browser extension. “DeepLoad’s design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment,” ZeroFox said in February. Now, ReliaQuest says it observed the first in-the-wild campaign distributing DeepLoad to Windows systems, through the infamous ClickFix technique. As part of the campaign, the victims were served fake browser error messages instructing them to paste a command in Windows Run or a terminal to resolve a fake issue. The command resulted in the persistent execution of a PowerShell loader that dropped DeepLoad on the system. The malware was seen generating the secondary component on the fly, in the form of a DLL dropped in the Temp directory. Compiled on every execution and dropped with a different file name, the DLL evades detection. “The loader also wipes its own tracks by disabling PowerShell command history and calling Windows core functions directly instead of relying on PowerShell’s built-in commands, quietly sidestepping the most common monitoring hooks,” ReliaQuest notes. To blend into trusted Windows activity, DeepLoad was injected inside the legitimate lock screen management process LockAppHost.exe using asynchronous procedure call (APC) injection. ReliaQuest points out that this method allows the malware to evade detection because the injected process is typically not monitored by security tools, and because the payload is executed in memory without a decoded payload written to disk. DeepLoad was designed to steal the victim’s credentials right from the start, through a standalone credential stealer executed alongside the main loader. Credential exfiltration is also separated from the loader’s command-and-control (C&C) communication. Additionally, the malware would drop a rogue browser extension to intercept “everything a user does, putting everything from active logins and open tabs to session tokens and saved passwords at risk,” ReliaQuest notes. The cybersecurity firm also observed the malware spreading via USB drives, although it could not determine whether the functionality was implemented inside DeepLoad or staged by its operator. Related: Venom Stealer Raises Stakes With Continuous Credential Harvesting Related: 900 Sangoma FreePBX Instances Infected With Web Shells Related: ‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks Related: VoidLink Linux Malware Framework Targets Cloud Environments WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire TeamPCP Moves From OSS to AWS Environments CrewAI Vulnerabilities Expose Devices to Hacking Exploitation of Critical Fortinet FortiClient EMS Flaw Begins StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs Lloyds Data Security Incident Impacts 450,000 Individuals Huskeys Emerges From Stealth With $8 Million in Funding Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Telnyx Targeted in Growing TeamPCP Supply Chain Attack Latest News Toy Giant Hasbro Hit by Cyberattack Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome FBI Warns of Data Security Risks From China-Made Mobile Apps US Charges Uranium Crypto Exchange Hacker Webinar Today: Agentic AI vs. Identity’s Last Mile Problem Axios NPM Package Breached in North Korean Supply Chain Attack Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents Censys Raises $70 Million for Internet Intelligence Platform Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer. Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne. Token has appointed Katy Nelson as Chief Revenue Officer. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email