# DeepLoad Malware Campaign Uses ClickFix Social Engineering and WMI Persistence to Harvest Browser Credentials


A newly discovered malware loader called DeepLoad has emerged as a sophisticated threat leveraging social engineering tactics and advanced evasion techniques to establish persistent access on compromised systems. Security researchers at ReliaQuest have identified an active campaign combining the ClickFix social engineering method with previously undocumented malware to steal browser credentials and session tokens from infected machines.


The discovery highlights an evolving threat landscape where attackers are combining proven social engineering vectors with advanced technical capabilities, including AI-assisted obfuscation and legitimate system tools to evade detection and maintain long-term access.


## The Threat: ClickFix Meets DeepLoad


ClickFix represents a relatively recent social engineering tactic that has gained traction among cybercriminals. The technique typically involves:


  • Malicious advertisements displayed on legitimate websites that mimic legitimate warning dialogs
  • False error messages warning users about system vulnerabilities or malware infections
  • Prompts to download and execute supposed "security tools" or patches
  • Urgency and fear-based messaging designed to bypass user skepticism

    • The ClickFix campaign distributing DeepLoad combines this social engineering vector with a custom malware loader that establishes persistence, evades security tools, and immediately begins credential harvesting. According to ReliaQuest researchers, the malware demonstrates sophisticated capabilities far beyond typical malware loaders.


    ## Technical Architecture: How DeepLoad Works


    ### Initial Infection Chain


    The infection begins when users encounter malicious advertisements or compromised websites hosting ClickFix popups. When clicked, these popups trigger downloads of files masquerading as legitimate security utilities. Once executed on a Windows system, the initial stage establishes a foothold for the DeepLoad loader.


    ### AI-Assisted Obfuscation


    DeepLoad employs machine learning-assisted code obfuscation designed to defeat signature-based detection. This represents a significant advancement in malware evasion:


  • Dynamic code generation produces unique samples with different obfuscation patterns
  • Behavioral pattern randomization changes execution flow between infections
  • API call abstraction obscures which Windows APIs are being used
  • String encryption and substitution prevents keyword detection in static analysis

    • This approach significantly increases the time required for security vendors to develop effective detections, as traditional signature-based methods become ineffective against constantly evolving samples.


    ### Process Injection and Memory Execution


    Rather than writing executable files to disk, DeepLoad employs process injection techniques to execute code directly in memory:


    | Injection Technique | Purpose | Detection Challenge |

    |-------------------|---------|-------------------|

    | DLL Injection | Load malicious code into legitimate processes | Legitimate processes appear to be the culprit |

    | Code Injection | Execute shellcode directly in process memory | No file artifacts to detect on disk |

    | Hollowing | Replace legitimate process image with malicious code | Process appears legitimate to endpoint tools |


    By executing entirely in memory, DeepLoad avoids creating files that endpoint detection and response (EDR) systems typically monitor and flag.


    ### WMI-Based Persistence


    Windows Management Instrumentation (WMI) provides a powerful but often overlooked persistence mechanism. DeepLoad leverages WMI in several ways:


  • WMI Event Subscriptions trigger malicious actions automatically based on system events (startup, user logon, etc.)
  • WMI Consumer Creation establishes callback mechanisms that execute code when conditions are met
  • Legitimate Tool Execution uses wmic.exe (Windows Management Instrumentation Command-line) to execute commands while appearing to be system administration

    • This approach is particularly effective because:

  • WMI is a built-in Windows component with legitimate administrative purposes
  • Many security tools whitelist WMI processes by default
  • WMI-based persistence survives system reboots and antivirus scans
  • Detection requires sophisticated behavioral analysis rather than simple file-based detection

    • ## Credential Theft: Immediate and Continuous


    Unlike traditional malware that establishes persistence first, DeepLoad begins credential harvesting immediately upon execution—even if subsequent loader stages are blocked by security tools.


    ### Browser Credential Extraction


    The malware targets stored credentials from major web browsers:


  • Password databases from Chrome, Edge, Firefox, and other Chromium-based browsers
  • Cached credentials stored in memory during active browsing sessions
  • Session tokens and cookies that provide authenticated access to web services
  • Autofill data containing personal information and payment details

    • ### Technique: Key Extraction and Database Access


    Modern browsers store credentials in encrypted databases. DeepLoad bypasses this encryption by:


    1. Extracting encryption keys from the browser process memory

    2. Decrypting local credential stores using the browser's own decryption mechanisms

    3. Harvesting cookies that provide immediate authenticated access without needing passwords


    This approach allows attackers to bypass the password-protected nature of these storage systems entirely.


    ## Implications for Organizations


    ### Immediate Risks


    Organizations infected with DeepLoad face multiple concurrent threats:


  • Unauthorized access to web applications and cloud services accessed by infected users
  • Session hijacking through stolen authentication tokens
  • Lateral movement using compromised credentials to access internal systems
  • Data exfiltration of sensitive information accessible through stolen accounts
  • Supply chain compromise if compromised employee accounts have vendor access

    • ### Extended Persistence


    The WMI-based persistence mechanism means infections can remain active for months without detection, continuously harvesting new credentials as employees log into applications and services.


    ### Advanced Evasion Challenges


    The AI-assisted obfuscation makes this threat particularly difficult to defend against:


  • Signature-based detection becomes ineffective as each sample is unique
  • Sandboxing evasion through behavioral unpredictability
  • Sandbox detection that avoids execution in testing environments
  • Antivirus bypass through legitimate process abuse

    • ## Detection and Investigation


    ### Network-Level Indicators


    Organizations should monitor for:


  • Unusual outbound connections from user workstations, especially to known malware C2 infrastructure
  • Data exfiltration patterns suggesting credential theft (large volumes of HTTPS traffic to legitimate services from non-business contexts)
  • Anomalous WMI activity and unusual wmic.exe execution with suspicious arguments

    • ### Host-Based Indicators


  • WMI Event Consumer activity in Event ID 19, 20, 21, and 22 (WMI Event logs)
  • Unsigned processes injected into legitimate applications
  • Suspicious registry modifications related to persistence mechanisms
  • Browser profile access by unexpected processes

    • ## Recommendations for Organizations


    ### Immediate Actions


    1. Hunt for WMI persistence using forensic tools to identify Event Consumer objects

    2. Review browser credential caches for unauthorized access

    3. Check Windows Event logs for WMI activity correlating with suspicious network traffic

    4. Reset credentials for any accounts potentially compromised through this malware


    ### Medium-Term Mitigations


  • Disable WMI creation of Event Subscriptions via Group Policy where not required
  • Implement behavioral EDR capable of detecting in-memory code execution and process injection
  • Enable browser credential protection features (Windows Hello, biometric authentication)
  • Deploy application allowlisting to restrict which processes can inject code
  • Require MFA on all critical web applications and cloud services

    • ### Long-Term Security Measures


  • Zero-trust architecture reducing reliance on compromised user credentials
  • Credential guard implementations to protect stored authentication material
  • Advanced threat detection using machine learning to identify obfuscated malware
  • Regular security awareness training focused on social engineering tactics like ClickFix
  • Continuous monitoring of WMI Event logs and process injection patterns

    • ## Conclusion


    DeepLoad represents a concerning evolution in malware design, combining proven social engineering tactics with sophisticated technical evasion techniques and legitimate system tool abuse. The combination of AI-assisted obfuscation, in-memory execution, WMI persistence, and immediate credential theft creates a multi-layered threat that traditional security approaches struggle to address.


    Organizations must shift toward behavioral detection, credential protection, and zero-trust principles to defend against this emerging threat. The ClickFix campaign distributing DeepLoad underscores the continued importance of social engineering awareness while highlighting how modern malware bypasses conventional technical controls through legitimate system abuse.