DeepLoad: Multi-Stage Loader Combining ClickFix, APC Injecti

Type	Value	Context	Confidence
PROCESS	LockAppHost.exe (with network or child process activity)	Legitimate Windows process targeted for APC injection; anomalous behavior indicates potential DeepLoad payload execution	medium
LOLBIN	mshta.exe	Used as living-off-the-land binary in DeepLoad execution chain; alert on unexpected parent processes	medium
FILENAME	AnyDesk (lure filename)	DeepLoad uses AnyDesk branding as a social engineering lure; verify any AnyDesk installer against official source and hash	medium
TECHNIQUE	WMI event subscription (root\subscription namespace)	DeepLoad uses WMI subscriptions for autonomous reinfection ~72 hours post-remediation; unauthorized subscriptions are a high-confidence indicator	high
FILEPATH	\AppData\Local\Google\Chrome\User Data\Default\Login Data	Chrome credential store targeted by DeepLoad payload; unexpected process access is an indicator of credential theft	medium
FILEPATH	\AppData\Roaming\Mozilla\Firefox\Profiles\	Firefox credential store targeted by DeepLoad payload; unexpected process access is an indicator of credential theft	medium

Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

DeepLoad is an active malware campaign documented by ReliaQuest that targets Windows systems through social engineering, then steals browser credentials from Chrome and Firefox. The threat’s most significant business risk is a built-in WMI-based reinfection mechanism that reinstates the malware approximately three days after remediation without attacker interaction, meaning standard incident response procedures may produce a false sense of containment. Any organization with Windows endpoints, browser-stored credentials, and USB-connected devices is in scope; credential theft at scale can enable account takeover, privilege escalation, and downstream breaches.