A newly discovered cyber threat is raising alarms across the cybersecurity industry as researchers uncover how AI driven malware is accelerating credential theft and evading traditional defenses.

Security researchers at ReliaQuest have identified a sophisticated strain known as DeepLoad malware, designed to steal credentials almost immediately after infiltrating a system. The threat is capable of extracting stored browser passwords while simultaneously capturing live keystrokes through a malicious browser extension, making it especially dangerous for enterprise environments.

According to ReliaQuest, DeepLoad malware begins its attack using a social engineering tactic called ClickFix, which tricks users into executing what appears to be a harmless command to resolve a fake browser error. Once executed, the malware establishes persistence by creating scheduled tasks that allow it to relaunch automatically, even after system reboots or partial detection.

“DeepLoad steals credentials from the moment it lands, so even partial containment can still leave you with exposed passwords, session, and active accounts,” ReliaQuest warned in a report this week. “Before the main attack chain finishes, a standalone credential stealer, filemanager.exe, is already running on its own infrastructure and can exfiltrate data even if the main loader is detected and blocked.”

The attack chain leverages legitimate Windows utilities such as mshta.exe to communicate with attacker infrastructure and deploy a heavily obfuscated PowerShell loader. Researchers noted that the malware code is buried beneath thousands of lines of meaningless instructions, likely generated by artificial intelligence to overwhelm static analysis tools and avoid detection.

Ad Banner

Once executed, the malicious payload is decrypted entirely in memory and injected into LockAppHost.exe, a legitimate Windows process associated with the lock screen. This technique allows the malware to operate undetected, as many security tools do not closely monitor such processes. DeepLoad further complicates detection by dynamically generating a new DLL file with a randomized name during each execution and disabling PowerShell command history to erase traces of its activity.

In observed campaigns, DeepLoad malware demonstrated the ability to spread quickly via USB drives, disguising itself as common software installers such as Chrome or Firefox setup files. This tactic increases the likelihood of additional infections as users unknowingly execute the malicious files.

Persistence remains one of the most concerning aspects of the threat. Even after apparent cleanup, the malware can re execute itself through Windows Management Instrumentation triggers without user interaction. In one case, the infection resurfaced days after the system was believed to be secure.

ReliaQuest emphasized that traditional remediation steps are insufficient against this evolving threat. Organizations must audit and remove WMI event subscriptions, enable advanced PowerShell logging, and adopt behavioral monitoring to detect malicious activity. Additionally, all credentials associated with compromised systems should be reset to prevent further exploitation.

“The indications of AI generation mean there is a realistic probability that obfuscation will evolve from generic noise to padding tailored to the specific environment it’s deployed in, making behavioral baselining harder over time,” ReliaQuest warned. “As WMI subscriptions are added to remediation checklists, the persistence mechanism is likely to shift to other legitimate Windows features that currently receive less attention.”

As DeepLoad malware demonstrates how AI can enhance both the scale and sophistication of cyberattacks, its emergence signals a critical shift in the threat landscape, pushing organizations to adopt more adaptive and intelligence driven security strategies.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com



🔒 Login or Register to continue reading