DeepLoad Malware: AI-Powered Credential Theft Targeting Financial Enterprises

Security researchers at ReliaQuest have disclosed a previously undocumented malware loader dubbed DeepLoad that weaponizes the ClickFix social engineering technique alongside AI-generated code obfuscation to harvest browser credentials from enterprise endpoints. What makes DeepLoad particularly dangerous is its WMI-based persistence mechanism — capable of silently reinfecting a remediated host three days later without any user interaction or attacker command.

How DeepLoad Delivers Its Payload via ClickFix

The attack begins with a ClickFix lure — a deceptive prompt that tricks users into copying a malicious PowerShell command and pasting it into the Windows Run dialog, ostensibly to resolve a fabricated system issue. Once executed, the command invokes mshta.exe, a legitimate Windows utility, to download and run a heavily obfuscated PowerShell loader from an attacker-controlled server. This initial stage bypasses most email and web gateway filters because the payload delivery depends on manual user action rather than a malicious file attachment or link click.

After initial execution, DeepLoad generates a secondary component on the fly using PowerShell's built-in Add-Type feature. This compiles inline C# code at runtime, producing a temporary Dynamic Link Library (DLL) dropped into the user's %TEMP% directory. The runtime compilation means the DLL has no static signature — traditional antivirus engines scanning known hashes or byte patterns will miss it entirely.

AI-Assisted Obfuscation: A New Evasion Frontier

ReliaQuest analysts noted that DeepLoad's obfuscation patterns bear hallmarks of AI-generated code — variable naming conventions, control flow structures, and string encoding methods that shift across samples in ways consistent with large language model output rather than manual refactoring. Each deployment produces structurally unique code, defeating signature-based detection and complicating static analysis. This represents a meaningful escalation in adversary tradecraft: attackers are now leveraging the same generative AI tools that defenders use, but for automated evasion engineering.

The use of process injection further compounds detection challenges. DeepLoad injects its credential-harvesting routines into legitimate system processes, breaking the parent-child process chains that most endpoint detection rules rely on. Credential theft begins immediately upon execution — browser passwords and active sessions are exfiltrated even if the primary loader is later identified and blocked by security tooling.

WMI Persistence: Silent Reinfection Without Attacker Interaction

Perhaps the most concerning aspect of DeepLoad is its persistence strategy. The malware creates a Windows Management Instrumentation (WMI) event subscription that serves two purposes. First, it breaks conventional detection logic by avoiding the file-system and registry artifacts that most incident responders search for. Second, the WMI subscription quietly re-executes the full attack chain days after initial remediation — ReliaQuest documented a case where a host confirmed clean by the security team was reinfected 72 hours later with zero user action.

This persistence model is particularly problematic for organizations that rely on endpoint reimaging or malware removal as their primary response playbook. If WMI subscriptions are not explicitly audited and purged during incident response, the attacker retains a foothold that survives standard cleanup procedures.

Why Saudi Financial Institutions Should Take Notice

DeepLoad's target profile aligns directly with organizations handling sensitive financial data, customer PII, and intellectual property — precisely the assets that SAMA-regulated entities are mandated to protect. The SAMA Cyber Security Framework (CSF) requires financial institutions to maintain robust endpoint protection, credential management, and incident response capabilities. DeepLoad's ability to bypass traditional endpoint defenses and persist through standard remediation workflows exposes gaps in organizations that have not matured beyond baseline antivirus and EDR deployments.

Under the NCA Essential Cybersecurity Controls (ECC), entities must implement application whitelisting, PowerShell logging, and behavioral analytics — controls that directly address DeepLoad's attack chain. Additionally, the Personal Data Protection Law (PDPL) imposes strict obligations around the protection of customer credentials and personal data. A successful DeepLoad compromise that exfiltrates stored browser credentials containing customer banking sessions could trigger PDPL notification requirements and SAMA supervisory action.

Recommended Defensive Measures

1. Enforce PowerShell Constrained Language Mode across all user endpoints. This prevents the Add-Type runtime compilation technique that DeepLoad relies on to generate its in-memory DLL. Log all PowerShell execution with Script Block Logging (Event ID 4104) and forward logs to your SIEM.
2. Audit and monitor WMI event subscriptions using tools like Get-WMIObject or Sysmon Event ID 19/20/21. Incorporate WMI subscription checks into your standard incident response runbooks — a clean endpoint is not truly clean until all WMI persistence has been verified and removed.
3. Disable mshta.exe execution via Windows Defender Application Control (WDAC) or AppLocker policies. Financial institutions with no legitimate business need for HTA execution should block this binary entirely, cutting off DeepLoad's initial delivery mechanism.
4. Deploy credential isolation controls such as Windows Credential Guard and disable browser password storage on corporate endpoints. Enforce enterprise password managers that store credentials outside the browser's accessible data stores.
5. Conduct targeted security awareness training focused on the ClickFix technique specifically. Employees must understand that no legitimate system prompt will ever ask them to paste commands into the Run dialog or PowerShell console. Simulate ClickFix scenarios in your phishing assessment program.
6. Implement behavioral detection rules for runtime C# compilation via PowerShell, suspicious DLL creation in %TEMP% directories, and credential access patterns targeting browser data stores. These behavioral indicators are more resilient than signature-based detection against AI-obfuscated payloads.

Conclusion

DeepLoad represents an inflection point in the threat landscape: adversaries are now pairing social engineering with AI-generated evasion and living-off-the-land persistence to create attack chains that defeat conventional security stacks. For Saudi financial institutions operating under SAMA and NCA oversight, this is a concrete reminder that compliance alone does not equal security. The controls mandated by SAMA CSF and NCA ECC — PowerShell restriction, application whitelisting, behavioral analytics, and credential protection — are not aspirational best practices. They are operational necessities that, when properly implemented, directly neutralize threats like DeepLoad.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and identify the gaps in your endpoint defense posture before adversaries like DeepLoad find them first.