Using the techniques in tandem helps hackers evade detection, a security firm said.
- Hackers may be using AI to hide malware that steals user credentials from enterprise environments as part of an alarming new attack campaign, according to ReliaQuest.
- The malware’s combination of AI-enabled obfuscation and delivery via the stealthy “ClickFix” technique makes it a potent threat to watch out for, researchers said in a report published on Monday.
- ReliaQuest urged organizations to perform ongoing behavioral analysis of computers on their networks to catch the malware in the act, given that its fileless operations can bypass more traditional static defenses.
DeepLoad, a newly identified malware strain, is raising alarms across the cybersecurity landscape by combining two rapidly evolving attack trends: the ClickFix delivery method and AI-driven obfuscation techniques. Security researchers warn that this approach significantly increases the difficulty of detection and response, marking a new phase in sophisticated cyberattacks.
The ClickFix technique, which has gained traction in recent years, relies on deceiving users into executing seemingly harmless commands in Windows Terminal or PowerShell. These actions, often perceived as routine or safe, can grant attackers extensive system access. Because the method depends on legitimate user behavior, it can easily bypass traditional security controls designed to detect malicious activity.
In the DeepLoad campaign, a single PowerShell command is sufficient to establish persistent access. Once executed, the malware creates a scheduled task that ensures it can survive system reboots and continuously reinitiate itself. It then leverages mshta.exe, a legitimate Windows utility commonly exploited for remote script execution, to connect with attacker-controlled infrastructure and download additional malicious components.
What makes DeepLoad particularly dangerous is due to its use of heavily obfuscated code. The PowerShell loader associated with the malware contains thousands of meaningless variable assignments, designed to resemble normal scripting activity. This overwhelming volume of “noise” effectively conceals the malicious logic embedded within, making it extremely challenging for static analysis tools to identify threats.
Researchers believe that such large-scale code obfuscation is unlikely to have been created manually. Instead, the consistency and complexity suggest the use of artificial intelligence, enabling attackers to generate sophisticated malware at unprecedented speed. This development highlights how AI is not only being used for defensive cybersecurity measures but is also empowering threat actors to scale and refine their attacks.
Traditional detection tools struggle to analyze such dense and noisy code, prompting security experts to recommend more advanced monitoring techniques. One key defense strategy is enabling PowerShell Script Block Logging, a Microsoft security feature that records and analyzes PowerShell activity in real time. This allows organizations to detect suspicious command execution even when the code itself is heavily obfuscated.
DeepLoad also employs stealth techniques within the Windows operating system by embedding itself into processes associated with the lock screen – areas that are rarely inspected by security teams. This enables the malware to remain hidden while collecting sensitive information, including stored credentials and user-entered passwords.
Given the level of access the malware can achieve, compromised organizations are strongly advised to reset all credentials associated with affected systems. Failure to do so could allow attackers to maintain unauthorized access even after initial remediation efforts.
Additionally, researchers have highlighted the abuse of Windows Management Instrumentation (WMI) event subscriptions as another persistence mechanism. While WMI is typically used for legitimate automation tasks, attackers are exploiting it to reintroduce DeepLoad into systems after it has been removed. Because many security teams do not routinely audit WMI subscriptions, this tactic can enable repeated reinfection.
The emergence of DeepLoad underscores a critical shift in the threat landscape, where attackers are blending social engineering, legitimate system tools, and AI-generated obfuscation to evade detection. As these techniques continue to evolve, organizations must adopt more proactive and behavior-based security strategies to defend against increasingly complex and adaptive cyber threats.
Recommended Cyber Technology News :
- Liberty Data Breach Exposes Cybersecurity Gaps
- Protectt.ai Launches Enhanced AppProtectt With Advanced RASP and AI Monitoring
- DeepLoad Malware Uses AI To Steal Credentials Fast
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
