DeepLoad Malware: ClickFix Tactics & WMI Persistence Analysis

Just caught the ReliaQuest report on this new loader, DeepLoad. It's leveraging the ClickFix social engineering tactic—those fake 'browser update' pages that have been circulating lately. What makes this one particularly nasty is the combination of AI-assisted obfuscation and immediate credential harvesting via process injection.

The researchers note that even if the primary loader is caught, the malware might have already dumped browser sessions. It relies heavily on WMI for persistence (T1546.003), which helps it fly under the radar since the malicious logic is stored within the WMI repository rather than a suspicious file on disk.

If you're hunting for this, start by auditing WMI Event Subscriptions. Standard EDR might miss the initial injection if the obfuscation is good, so checking for anomalous WMI filters is a solid step. You can pull current filters and consumers on your endpoints using:

Get-WmiObject -Namespace root\subscription -Class __EventFilter | Select-Object Name, Query
Get-WmiObject -Namespace root\subscription -Class __EventConsumer | Select-Object Name, CommandLineTemplate


I'm also seeing reports of `VBScript` and `PowerShell` being used for the execution chain. Given the rise in AI-assisted coding for malware, how confident are you guys that your current heuristic rules can catch polymorphic scripts before they hit the interpreter?