{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/deepload/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["deepload","clickfix","credential-theft","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDeepLoad is a recently discovered malware family designed for credential theft, malicious browser extension installation, and potential cryptocurrency theft. First advertised on a dark web forum in early February 2026, DeepLoad is now being distributed in the wild via ClickFix campaigns. The malware is delivered through fake browser error messages that instruct victims to execute a PowerShell command, resulting in the persistent execution of a PowerShell loader. This loader dynamically generates a DLL component in the Temp directory to evade detection. DeepLoad also injects into the legitimate \u003ccode\u003eLockAppHost.exe\u003c/code\u003e process to further blend into trusted Windows activity and evade detection by security tools. The threat actor\u0026rsquo;s motivations appear to be financially driven, focusing on credential and cryptocurrency theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim encounters a fake browser error message.\u003c/li\u003e\n\u003cli\u003eThe victim is instructed to paste a command into Windows Run or a terminal.\u003c/li\u003e\n\u003cli\u003eThe command executes a PowerShell loader, which is designed for persistence.\u003c/li\u003e\n\u003cli\u003eThe PowerShell loader drops a DLL component in the Temp directory, compiled on every execution with a different filename.\u003c/li\u003e\n\u003cli\u003eThe loader disables PowerShell command history and calls Windows core functions directly to evade monitoring.\u003c/li\u003e\n\u003cli\u003eThe DLL is injected into \u003ccode\u003eLockAppHost.exe\u003c/code\u003e using asynchronous procedure call (APC) injection.\u003c/li\u003e\n\u003cli\u003eDeepLoad steals credentials via a standalone credential stealer executed alongside the main loader.\u003c/li\u003e\n\u003cli\u003eA rogue browser extension is dropped to intercept user activity, including logins, open tabs, session tokens, and saved passwords. The malware also attempts to spread via USB drives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DeepLoad infections can lead to significant credential theft, potentially compromising sensitive user accounts and data. The rogue browser extension can expose all user browser activity, including banking and cryptocurrency exchanges. The spread via USB drives allows the malware to propagate rapidly across an organization. The financial impact can be substantial if cryptocurrency wallets and other financial accounts are compromised. The number of affected organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect DeepLoad PowerShell Loader\u0026rdquo; Sigma rule to detect the initial PowerShell execution used to deliver the malware.\u003c/li\u003e\n\u003cli\u003eMonitor process injection into \u003ccode\u003eLockAppHost.exe\u003c/code\u003e to identify potential DeepLoad infections (reference the Sigma rule \u0026ldquo;Detect Injection into LockAppHost.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and review for suspicious command line arguments indicative of the DeepLoad loader to enhance the effectiveness of the \u0026ldquo;Detect DeepLoad PowerShell Loader\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement USB drive security policies to prevent the spread of malware via removable media.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of executing commands from untrusted sources to prevent initial infection via ClickFix techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-deepload-malware/","summary":"The DeepLoad malware steals credentials, installs malicious browser extensions, spreads via USB drives, and is being distributed via ClickFix campaigns using PowerShell loaders.","title":"DeepLoad Malware Distributed via ClickFix","url":"https://feed.craftedsignal.io/briefs/2026-04-deepload-malware/"}],"language":"en","title":"CraftedSignal Threat Feed — Deepload","version":"https://jsonfeed.org/version/1.1"}