Login
Researchers say credential-stealing campaign used AI to build evasion βat every stageβ
A new malware-based credential-stealing campaign, which researchers are calling βDeepLoad,β has been infecting enterprise business IT environments.
In a report released Monday, ReliaQuest AI researchers Thassanai McCabe and Andrew Currie say the most relevant feature of this attack is the way it uses artificial intelligence and other engineering βto defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.β
DeepLoad is delivered to victims via βQuickFixβ social-engineering techniques, such as fake browser prompts or error pages. If the user falls for the scheme, the malware developers β or more likely their AI tools β put a lot of work into building evasion of security technology βat every stageβ of the attack chain.
The loader βburies functional code under thousands of meaningless variable assignments,β and the payload runs behind a Windows lock screen process that is βoverlooked by security toolsβ monitoring for threats. ReliaQuest said βthe sheer volumeβ of code padding likely rules out human-only involvement.
βWe assess with high confidence that AI was used to build this obfuscation layer,β McCabe and Currie write. βIf so, organizations should expect frequent updates to the malware and less time to adapt detection coverage between waves.β
DeepLoad can steal credentials through real-time keylogging, and even if security teams block the initial loader, it was able to persist through backup contingencies.
βIn the incidents we investigated, the loader spread to connected USB drives, which means the initial host is unlikely to be the only impacted system,β McCabe and Currie wrote. βEven after cleanup, a hidden persistence mechanism not addressed by standard remediation workflows re-executed the attack three days later.β
ReliaQuestβs research offers more evidence that over the past year, some traditional static cybersecurity practices β such as searching for malware signatures or file-based patterns β may be fast becoming obsolete, as AI models can spin out endless variations of attack tooling with unique signatures.
Other organizations like Google and Anthropic have been sounding the alarm that AI-enhanced cyberattacks are dramatically shrinking the time defenders must respond to a compromise.Β Β
At the RSA Conference in San Francisco this year, experts told CyberScoop that the next two years are set to be a βperfect stormβ favoring AI-powered offense, with cybercriminals and nation-states more quickly adapting the technology to add greater speed and scale to their attacks than their defensive counterparts.
McCabe and Currie say the likely continued use of AI to frustrate static analysis monitoring means that defenders will need to shift focus to other indicators of compromise.
βBased on what weβve observed, organizations must prioritize behavioral, runtime detectionβnot file-based scanningβto catch this campaign (and similar ones) early,β they wrote.Β
The post Researchers say credential-stealing campaign used AI to build evasion βat every stageβ appeared first on CyberScoop.
