DeepLoad Malware Distributed via ClickFix

DeepLoad is a recently discovered malware family designed for credential theft, malicious browser extension installation, and potential cryptocurrency theft. First advertised on a dark web forum in early February 2026, DeepLoad is now being distributed in the wild via ClickFix campaigns. The malware is delivered through fake browser error messages that instruct victims to execute a PowerShell command, resulting in the persistent execution of a PowerShell loader. This loader dynamically generates a DLL component in the Temp directory to evade detection. DeepLoad also injects into the legitimate LockAppHost.exe process to further blend into trusted Windows activity and evade detection by security tools. The threat actor’s motivations appear to be financially driven, focusing on credential and cryptocurrency theft.

Attack Chain

1. The victim encounters a fake browser error message.
2. The victim is instructed to paste a command into Windows Run or a terminal.
3. The command executes a PowerShell loader, which is designed for persistence.
4. The PowerShell loader drops a DLL component in the Temp directory, compiled on every execution with a different filename.
5. The loader disables PowerShell command history and calls Windows core functions directly to evade monitoring.
6. The DLL is injected into LockAppHost.exe using asynchronous procedure call (APC) injection.
7. DeepLoad steals credentials via a standalone credential stealer executed alongside the main loader.
8. A rogue browser extension is dropped to intercept user activity, including logins, open tabs, session tokens, and saved passwords. The malware also attempts to spread via USB drives.

Impact

Successful DeepLoad infections can lead to significant credential theft, potentially compromising sensitive user accounts and data. The rogue browser extension can expose all user browser activity, including banking and cryptocurrency exchanges. The spread via USB drives allows the malware to propagate rapidly across an organization. The financial impact can be substantial if cryptocurrency wallets and other financial accounts are compromised. The number of affected organizations is currently unknown.

Recommendation

• Deploy the “Detect DeepLoad PowerShell Loader” Sigma rule to detect the initial PowerShell execution used to deliver the malware.
• Monitor process injection into LockAppHost.exe to identify potential DeepLoad infections (reference the Sigma rule “Detect Injection into LockAppHost.exe”).
• Enable PowerShell logging and review for suspicious command line arguments indicative of the DeepLoad loader to enhance the effectiveness of the “Detect DeepLoad PowerShell Loader” rule.
• Implement USB drive security policies to prevent the spread of malware via removable media.
• Educate users on the risks of executing commands from untrusted sources to prevent initial infection via ClickFix techniques.