DeepLoad Malware Uses AI-Generated Code to Evade Detection

A new malware strain called DeepLoad is breaching enterprise networks through ClickFix social engineering, then using AI-generated code obfuscation to evade detection—and its WMI persistence mechanism has been observed reinfecting systems days after apparent cleanup.

Security researchers at ReliaQuest published detailed analysis on March 30 documenting how DeepLoad turns a single user action into rapid, fileless compromise. The malware first appeared on dark web forums in early February, advertised as "a centralized panel for multiple types of malware."

How the Attack Works

DeepLoad's infection chain begins with ClickFix—a social engineering technique that's grown increasingly common in 2026. Victims encounter fake browser error messages or phishing pages that instruct them to paste a command into Windows Run or PowerShell to "fix" the issue.

The command executes: powershell.exe -ep Bypass -Command "iex(irm...)" which establishes persistent scheduled tasks and deploys obfuscated PowerShell loaders via mshta.exe. From that single action, attackers gain reboot-surviving access with minimal further interaction required.

AI-Generated Evasion at Scale

What sets DeepLoad apart is its obfuscation layer. The loader buries functional code under thousands of meaningless variable assignments specifically designed to exhaust static analysis engines.

"The sheer volume of padding likely rules out a human author," the ReliaQuest report states. Assessment indicates AI likely generated this obfuscation, marking a concerning evolution in malware development techniques.

The evasion techniques include:

• Dynamic DLL compilation using PowerShell's Add-Type feature with randomized filenames
• Command history disabling and direct Windows API calls that bypass monitoring hooks
• XOR decryption of in-memory shellcode that's never written to disk

Process Injection Targets Overlooked Processes

DeepLoad uses asynchronous procedure call (APC) injection to execute payloads within trusted Windows processes. The malware deliberately targets three specific processes: LockAppHost.exe (Windows lock screen), makecab.exe, and Magnify.exe.

These aren't random choices. Security teams typically overlook these processes during threat hunting, making them ideal hiding spots for malicious activity.

WMI Persistence Survives Remediation

The most dangerous aspect of DeepLoad is its persistence mechanism. Standard incident response removes scheduled tasks and temporary files—but DeepLoad exploits WMI event subscriptions that most cleanup procedures miss entirely.

In documented cases, reinfection occurred three days after hosts appeared clean, with "no user action and no attacker interaction required." The WMI subscription simply re-triggered the infection chain automatically.

This mirrors persistence techniques we've seen in other recent campaigns, including the AuraStealer infrastructure that used similar methods to maintain access across reboots.

Dual Credential Harvesting

DeepLoad employs two parallel approaches to stealing credentials:

1. A standalone stealer component (filemanager.exe) that accesses stored browser passwords
2. A malicious browser extension that intercepts credentials as users type them

The extension is particularly dangerous—it persists across browser sessions and captures "everything a user does, putting active logins, open tabs, session tokens and saved passwords at risk."

USB Propagation Expands the Attack Surface

Infected hosts automatically copy DeepLoad to connected USB drives. Within minutes, the malware writes over 40 files disguised as legitimate installers—Chrome, Firefox, and AnyDesk setup files—in an apparent effort to trick users on other machines into running them.

This USB propagation is tracked separately in the command-and-control infrastructure, suggesting deliberate design for lateral spread within organizations.

Detection and Mitigation

Organizations should implement these controls to detect and prevent DeepLoad infections:

1. Enable PowerShell Script Block Logging to capture decoded commands at runtime
2. Audit WMI subscriptions in routine security operations—this is where most teams fail
3. Monitor behavioral indicators including process injection and APC calls
4. Watch network traffic for unexpected mshta.exe outbound connections and unusual LockAppHost.exe activity

Security teams must also rotate all credentials from affected hosts and treat any connected removable media as potentially compromised.

Indicators of Compromise

Artifact	Value
filemanager.exe	1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d
domain-resolver.js	6AABA685669D779EF8BE8F7F4231096CFAFD0EF386F3897C5E2106C177724FC8
Staging domains	holiday-updateservice[.]com, forest-entity[.]cc
C2 infrastructure	hell1-kitty[.]cc

Why This Matters

DeepLoad represents a troubling convergence of trends: AI-assisted malware development, social engineering that exploits user trust, and persistence mechanisms that outlast standard remediation procedures.

The combination of ClickFix delivery—which bypasses email security entirely by making users infect themselves—with WMI persistence that survives typical incident response creates a particularly resilient threat. Organizations that discover DeepLoad infections should assume their initial cleanup was insufficient and specifically audit for WMI event subscriptions.

For defenders tracking the broader malware landscape, DeepLoad demonstrates that threat actors are actively incorporating AI tooling into their development pipelines—not for autonomous attacks, but for automating the tedious work of code obfuscation at scale.