DEEPLOAD MALWARE TARGETING WADVISORY ON DEEPLOAD MALWARE TARGETING WINDOWS SYSTEMS THROUGH CLICKFIX SOCIAL ENGINEERINGINDOWS SYSTEMS THROUGH CLICKFIX SOCIAL ENGINEERING

Advisory ID:   ngCERT-2026-040008

SUMMARY

ngCERT is issuing an alert about DeepLoad malware infections that threaten system integrity and enterprise credentials nationwide. DeepLoad is a fileless Windows malware loader delivered primarily through ClickFix-style social engineering. It employs AI-generated obfuscation, in-memory execution, and advanced persistence mechanisms. Infection of this malware could have implications for immediate credential theft, system compromise, persistent access, browser hijacking, lateral movement through USB and data exfiltration. To mitigate these risks, organisations and individuals are advised to take proactive steps by applying the recommendations captured herein.

DESCRIPTION

DeepLoad malware spreads via ClickFix social engineering, tricking victims with fake browser errors that prompt them to paste malicious PowerShell commands into the Windows Run dialogue. The command downloads and executes an obfuscated loader through mshta.exe. Once running, DeepLoad decrypts shellcode in memory, injects it into trusted processes, and evades detection with AI-generated noise. Persistence is maintained through scheduled tasks and WMI event subscriptions. It can drop a credential stealer (filemanager.exe), install a malicious browser extension, and spread through disguised USB shortcuts. Newer variants employ fileless execution, native API calls, disabled PowerShell history, and randomised artefacts, making detection and cleanup highly challenging.

Damage:      Critical 

Probability:  High

Platform(s):  Windows Systems

CONSEQUENCES

Infection with DeepLoad malware can result in:

1. System compromise and multi-layered persistence.
2. Immediate and ongoing credential theft.
3. Installation of rogue browser extensions and browser data interception.
4. Lateral movement and widespread network/USB infections
5. Reputational damage. 

INDICATORS OF COMPROMISE (IOCs):

1.   File Hashes (SHA256):

     a. 1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d (filemanager.exe – standalone                           credential stealer)

    b. 6AABA685669D779EF8BE8F7F4231096CFAFD0EF386F3897C5E2106C177724FC8 (domain-resolver.js)

    c. AB450927B37E1B68E2BE68832C354AC600E86E2545A904D4CA0EA283F2600CC2 (api-client.js)

2.   Network Indicators:

     a. Staging domains: holiday-updateservice[.]com, forest-entity[.]cc

    b. Supporting infrastructure: hell1-kitty[.]cc

SOLUTION/MITIGATION

To reduce risk and impact, organisations should:

1. Apply timely patches to Windows systems and applications to prevent exploitation of vulnerabilities used for initial infection.
2. Deploy Endpoint Detection and Response (EDR) tools with behavioural analysis to identify fileless infections, APC injection, WMI abuse, and suspicious PowerShell activity.
3. Enable PowerShell Script Block Logging and monitor for -ep Bypass, mshta.exe, and unexpected outbound connections.
4. Regularly audit and remove unauthorised WMI event subscriptions and scheduled tasks; treat removable media from potentially infected systems as compromised.
5. Implement network segmentation, block known malicious domains, and monitor for anomalous traffic to suspicious infrastructure.
6. Train users on ClickFix-style social engineering (never paste commands from browser prompts into Run or PowerShell) and safe browsing practices.    

HYPERLINK

• https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion
• https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
• https://www.securityweek.com/new-deepload-malware-dropped-in-clickfix-attacks/
• https://socprime.com/active-threats/deepload-malware-pairs-clickfix-delivery/