Researchers at ReliaQuest have identified a new malware strain, dubbed DeepLoad, that utilizes artificial intelligence to generate unique code obfuscation for every infection. Published on Monday by ReliaQuest Threat Research, the report details how the malware is delivered via “ClickFix” social engineering (fake browser update prompts) to turn “one user action into rapid, fileless compromise.”
ReliaQuest researchers Thassanai McCabe and Andrew Currie assess with “high confidence that AI was used to build this obfuscation layer.”
The report highlights that the malware loader buries functional code under “thousands of meaningless variable assignments,” a tactic the authors state is intended to leave “file-based scanning tools with nothing to flag.”
The malware’s stealth properties is amplified by its choice of host. ReliaQuest found the payload runs inside the LockAppHost.exe process. The researchers believe this was a “deliberate decision” because the Windows lock screen “doesn’t typically initiate outbound network activity,” allowing the malware to blend into trusted OS behavior.
A significant finding in the ReliaQuest data is the malware’s persistence. The research team noted the campaign used Windows Management Instrumentation (WMI) event subscriptions that “allowed reinfection three days after the host appeared clean.”
The authors warn that because of the AI-generated noise, “static detection is the wrong tool here,” recommending instead that organizations prioritize behavioral, runtime detection.
Photo by Zulfugar Karimov on Unsplash
