TL;DR
- A new malware loader called DeepLoad tricks Windows users into running a malicious command by disguising it as a routine fix for a fake error message.
- Once active, DeepLoad steals saved passwords and session cookies from Chrome, Edge, and Firefox — and the theft begins even if your antivirus catches the main loader.
- The malware uses a built-in Windows tool (WMI) to survive reboots, making it persistent without installing anything obvious.
- The defence is straightforward: disable the Windows Run dialog for staff, enforce multi-factor authentication, and audit which browsers store work credentials.
What Is DeepLoad and Why Should My Business Care?
DeepLoad is a newly discovered malware loader — a piece of software whose sole job is to sneak onto your computer and set up other malicious tools. Researchers at ReliaQuest, specifically Thassanai McCabe and Andrew Currie, published findings in late March 2026 identifying a campaign actively distributing DeepLoad through a social engineering method called ClickFix [1][2]. Unlike ransomware, which announces itself loudly by encrypting your files, DeepLoad works silently. Its primary goal is to steal the usernames, passwords, and active login sessions your browser has saved for business applications, banking portals, and email accounts.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Small and medium businesses are an especially attractive target for this type of attack. Attackers know that SMBs often rely heavily on browser-saved credentials for cloud tools, accounting software, and internal systems, and that dedicated IT security staff may be limited or absent entirely. Stolen credentials from a single employee can unlock payroll systems, client records, and financial accounts [7].
How Does the ClickFix Attack Actually Work?
ClickFix is a social engineering tactic that has appeared in numerous campaigns since 2025 and is gaining traction because it bypasses many technical controls by convincing the user to do the attacker's work [8]. The attack typically unfolds in three stages.
First, a user visits a malicious or compromised website and is presented with what looks like a legitimate Windows error message. The page instructs the user to "fix" the problem by copying a command and pasting it into the Windows Run dialog (opened by pressing the Windows key and R together). This is the ClickFix lure — it exploits the trust most people place in official-looking error screens [1].
Second, pasting and running that command launches mshta.exe, a legitimate Windows utility normally used to run HTML applications. Attackers abuse mshta.exe because it is a trusted, signed Microsoft binary and many security tools do not flag it by default. mshta.exe then connects to an attacker-controlled server and downloads an obfuscated PowerShell script [4].
Third, that PowerShell script — the DeepLoad loader — uses AI-assisted obfuscation to hide its actual purpose among hundreds of meaningless variable assignments. Static scanning tools, which look for known malicious code patterns, often cannot identify the threat because the real functionality is buried [2]. The loader then injects malicious code into a running Windows process and begins harvesting credentials from Chrome, Edge, and Firefox, targeting saved passwords and session cookies [5].
What Makes DeepLoad Harder to Stop Than Older Malware?
Two characteristics separate DeepLoad from older credential stealers. The first is its use of AI-assisted obfuscation. Traditional malware used fixed patterns that antivirus signatures could reliably detect. By generating obfuscated code dynamically, DeepLoad can produce unique variants that look different every time, defeating signature-based detection [2].
The second is the independence of the credential theft component. ReliaQuest researchers found that the credential harvesting begins immediately on execution, before any secondary payloads are dropped [1]. This means that even if your endpoint protection eventually quarantines the main loader, the passwords and session tokens may already have been captured and exfiltrated. An attacker who has your session cookie for a cloud accounting tool does not need your password — they can impersonate your active login directly.
How Does DeepLoad Stay on My Computer After a Restart?
DeepLoad uses Windows Management Instrumentation (WMI) for persistence. WMI is a legitimate Windows administration framework that allows software to subscribe to system events — such as "run this action every time the computer starts." CISA has flagged WMI-based persistence as a technique commonly used by advanced persistent threat (APT) groups precisely because it does not require writing new files to obvious locations and does not appear in the standard list of startup programs [6].
Because WMI persistence is invisible to the average user checking the Task Manager or Startup tab in Settings, DeepLoad can continue running across reboots without the victim knowing anything is installed. This persistence mechanism corresponds to techniques documented in the MITRE ATT&CK framework and is increasingly appearing in commodity malware, not just nation-state toolkits [4][6].
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →What Can SMB Owners Do Right Now to Protect Their Business?
The good news is that the ClickFix attack chain depends almost entirely on a user completing a manual step. Disrupting that step breaks the entire chain. Here are the practical defences in order of priority.
Restrict the Windows Run dialog. Group Policy can disable the Run dialog for standard user accounts. If staff have no reason to use it, removing access eliminates the most critical step of the ClickFix lure. Your IT support provider can apply this setting across all business machines in under an hour.
Enable multi-factor authentication (MFA) on every business account. Even if an attacker steals a saved password, MFA means that password alone cannot open your accounts. Prioritise email, accounting software, payroll, and any cloud storage. The Australian Signals Directorate recommends MFA as a top-priority control for exactly this type of credential theft scenario [10].
Audit browser credential storage. Browsers like Chrome and Edge have built-in password managers that are convenient but create a single high-value target. Consider moving business credentials to a dedicated password manager with its own encryption layer, and disable browser password saving for critical systems.
Keep Windows and browsers updated. DeepLoad's obfuscation targets static scanning, but behavioural detection in modern endpoint tools can still catch process injection. Ensuring your endpoint protection is current and that Windows Defender is enabled provides a meaningful layer of defence against the post-execution stages [9].
Train staff to recognise the lure. Show employees what a ClickFix lure looks like — a webpage asking them to copy and paste a command to fix an error. Verizon's 2025 Data Breach Investigations Report found that 68% of breaches involve the human element [3]. A five-minute briefing that explains "a real website will never ask you to paste a command into Windows" is a high-value, zero-cost control.
What Should I Do If I Think My Business Has Been Compromised?
If you suspect DeepLoad or a similar credential stealer has run on a business machine, treat it as an active incident. Immediately revoke and reset credentials for all accounts that were accessible from that machine, with priority given to email, financial systems, and any administrative accounts. Enable MFA on all accounts if not already in place. Contact your IT provider or a managed security service to check WMI subscriptions and scheduled tasks for unfamiliar entries. Do not simply run an antivirus scan and consider the matter resolved — the credential theft may have already succeeded before detection occurred.
The IBM Cost of a Data Breach 2025 report estimates the average cost of a credential-related breach at approximately USD 4.5 million when incident response, business disruption, and regulatory exposure are factored in [7]. Early, thorough response is significantly cheaper than late discovery.
FAQ
Q: Does DeepLoad only affect large companies, or is my small business at risk?
DeepLoad and ClickFix-style attacks actively target small and medium businesses. Attackers value SMB credentials because smaller organisations tend to have fewer security controls, direct access to financial systems, and established client relationships that can be exploited through business email compromise. Being small does not reduce your exposure — it may increase it.
Q: My antivirus did not flag anything. Does that mean I am safe?
Not necessarily. DeepLoad uses AI-assisted obfuscation specifically to evade static antivirus scanning. A clean antivirus scan does not confirm the machine is uninfected if the malware ran before definitions were updated or if the obfuscation defeated scanning. Behavioural detection and network monitoring provide better coverage, but the most reliable signal after a ClickFix encounter is to assume compromise and change credentials proactively.
Q: Can DeepLoad steal passwords from a business password manager, or only from browsers?
Based on current research, DeepLoad targets browser-stored credentials specifically — saved passwords and session cookies in Chrome, Edge, and Firefox [5]. Dedicated password managers that require a separate master password and do not integrate directly into the browser provide better protection because they are a separate encrypted store. However, if malware captures keystrokes or takes screen recordings, any password manager can be partially defeated. Layering MFA on top of any credential store remains essential.
Q: We use Google Chrome for everything. Are we more at risk than businesses using a different browser?
Chrome, Edge, and Firefox are all confirmed targets of DeepLoad's credential harvesting module [1][2]. The risk is not meaningfully different between these three browsers based on available research. The more important variable is whether work credentials are stored in the browser at all, and whether MFA protects the accounts those credentials unlock.
Q: Is this a one-off campaign or an ongoing threat?
ClickFix has been observed across multiple distinct campaigns throughout 2025 and into 2026 [8]. Microsoft has reported a significant increase in ClickFix-style attacks. DeepLoad is one loader among a growing family of tools that use this delivery method. SMBs should treat ClickFix awareness as a standing security control, not a response to a single incident.
References
[1] T. McCabe and A. Currie, "DeepLoad Malware Uses ClickFix and WMI for Stealthy Credential Theft," The Hacker News, Mar. 30, 2026. [Online]. Available: https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
[2] ReliaQuest Research Team, "ReliaQuest Threat Research Blog," ReliaQuest, 2026. [Online]. Available: https://www.reliaquest.com/blog/
[3] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[4] MITRE, "Technique T1059.001: Command and Scripting Interpreter — PowerShell," MITRE ATT&CK, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1059/001/
[5] MITRE, "Technique T1555.003: Credentials from Password Stores — Credentials from Web Browsers," MITRE ATT&CK, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1555/003/
[6] Cybersecurity and Infrastructure Security Agency (CISA), "Known Exploited Vulnerabilities Catalog," CISA, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM Corporation, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[8] Microsoft Security, "Microsoft Security Blog," Microsoft Corporation, 2025–2026. [Online]. Available: https://www.microsoft.com/en-us/security/blog/
[9] SANS Internet Storm Center, "SANS ISC Diary and Threat Reports," SANS Institute, 2026. [Online]. Available: https://isc.sans.edu/
[10] Australian Signals Directorate, "Protect Your Business — Securing Your Accounts," Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/protect-yourself
Ready to Strengthen Your Business Security?
Understanding the threat is the first step. Taking action is what protects your business. If you are not sure whether your Windows machines are exposed to ClickFix-style attacks, or you want a plain-English review of your current security posture, a short consultation can give you a clear picture and a prioritised action list — no jargon, no scare tactics, just practical next steps.
Book a free security consultation
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Attackers show you a fake error message on a website and trick you into typing a command that lets their software onto your computer.
- That software quietly collects every password your browser has saved and sends it to the attacker — even if your antivirus eventually catches it.
- Three things you can do right now: turn on two-step sign-in for your accounts, stop saving work passwords in your browser, and tell your team what these fake error pages look like.
What Is DeepLoad and What Does It Actually Do?
Imagine someone knocks on your front door wearing a high-visibility vest and carrying a clipboard. They say the council sent them to check your pipes, and they need you to hand them your house key so they can get into the meter room. You hand over the key. They were never from the council — and now they can come and go whenever they want.
That is almost exactly what DeepLoad does to your computer. Security researchers at a company called ReliaQuest discovered a new piece of software in March 2026 that tricks Windows users into giving it access by pretending to be a helpful fix for a technical problem [1][2]. Once you fall for the trick, it collects all the passwords and login sessions saved in your web browser — Chrome, Edge, Firefox — and sends them to the attacker [5].
The tactic used to deliver DeepLoad is called ClickFix. It works by showing you a webpage with a scary-looking error message. The page tells you to copy a line of text and paste it into a Windows box to make the error go away. When you do that, you are actually running a command that lets the attacker's software onto your machine [1][8].
Why Is This Difficult for Antivirus to Catch?
Normal antivirus software works a bit like a wanted poster — it looks for faces it already knows. DeepLoad uses a technique that changes its appearance every time it runs, so the wanted poster never quite matches [2]. The software also hides inside a legitimate Windows tool called mshta.exe, which is like a criminal hiding inside an official government van. The guards wave it through because the van looks official [4].
Importantly, the password theft starts the moment you run the command — before your antivirus even gets a chance to react [1]. This is what makes DeepLoad unusual. Even if your security software eventually catches and removes it, the passwords may already be gone.
Why Does It Stay on Your Computer After You Restart?
DeepLoad uses a part of Windows called WMI — Windows Management Instrumentation — to make itself start up automatically every time your computer boots. WMI is a normal Windows tool that businesses use to manage computers remotely. CISA, the US government's cybersecurity agency, has flagged this technique as something serious attackers use because most people never check it [6]. It does not show up in the normal list of startup programs, so it is easy to miss.
Three Steps You Can Take Today
These three actions are straightforward and cost nothing except a few minutes of time.
Step 1 — Turn on two-step sign-in for every work account. Two-step sign-in (also called multi-factor authentication or MFA) means an attacker needs more than just your password to get in. Even if DeepLoad steals your password, they cannot log in without the second step — usually a code sent to your phone [10]. Set this up on your email, your accounting software, and anywhere you store customer data.
Step 2 — Stop saving work passwords directly in your web browser. Chrome, Edge, and Firefox all offer to remember your passwords for you. This is convenient, but it means all those passwords are sitting in one place — exactly where DeepLoad looks. Move work passwords to a dedicated password manager app instead [5].
Step 3 — Show your team what a ClickFix lure looks like. A real website will never ask you to copy a command and paste it into a Windows box to fix a problem. If a website does that, close it immediately. Showing staff a screenshot of what these fake error pages look like takes five minutes and removes the human step the entire attack depends on [3].
FAQ
Q: Could this happen to me even if I am careful online?
Yes. ClickFix lures appear on websites that look completely normal, including sites that have been hacked without the owner knowing. Careful browsing habits help, but the most reliable protection is making sure that if the trick does work, the attacker cannot do much with what they get — which is why MFA matters so much.
Q: My antivirus says my computer is clean. Am I fine?
Not necessarily. DeepLoad is specifically designed to get past antivirus tools that rely on pattern matching [2]. A clean scan is reassuring but not a guarantee. If someone on your team recently pasted a command from a website into Windows, it is worth changing your passwords and checking your accounts for unusual activity regardless of what the antivirus says.
Q: Is this only a problem for big companies?
No. Small businesses are actually a common target because they often have direct access to payment systems and client data, but fewer security tools in place. The attackers are not picky — they want credentials they can use or sell, and small business accounts are just as valuable as large ones [7].
Q: How do I know if someone has used my stolen passwords?
Check your accounts for logins from unfamiliar locations or devices. Most email providers and cloud services show a log of recent sign-ins somewhere in the account settings. If you see a sign-in from a city or country you have never been to, treat that as a serious warning and change your password and security settings immediately. Contacting your IT provider or a cybersecurity professional is the right next move [9].
References
[1] T. McCabe and A. Currie, "DeepLoad Malware Uses ClickFix and WMI for Stealthy Credential Theft," The Hacker News, Mar. 30, 2026. [Online]. Available: https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
[2] ReliaQuest Research Team, "ReliaQuest Threat Research Blog," ReliaQuest, 2026. [Online]. Available: https://www.reliaquest.com/blog/
[3] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[4] MITRE, "Technique T1059.001: Command and Scripting Interpreter — PowerShell," MITRE ATT&CK, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1059/001/
[5] MITRE, "Technique T1555.003: Credentials from Password Stores — Credentials from Web Browsers," MITRE ATT&CK, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1555/003/
[6] Cybersecurity and Infrastructure Security Agency (CISA), "Known Exploited Vulnerabilities Catalog," CISA, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM Corporation, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[8] Microsoft Security, "Microsoft Security Blog," Microsoft Corporation, 2025–2026. [Online]. Available: https://www.microsoft.com/en-us/security/blog/
[9] SANS Internet Storm Center, "SANS ISC Diary and Threat Reports," SANS Institute, 2026. [Online]. Available: https://isc.sans.edu/
[10] Australian Signals Directorate, "Protect Your Business — Securing Your Accounts," Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/protect-yourself
Want Someone to Check Your Setup?
If this post raised any questions about how well-protected your business accounts are, a short conversation can put your mind at ease. No technical knowledge required — just a straightforward review of what you have and what, if anything, needs attention.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.