Researchers say credential-stealing campaign used AI to build evasion \u2018at every stage\u2019 | CyberScoop<\/title> <meta name=\"description\" content=\"DeepLoad logs keystrokes, buries details behind reams of AI-generated code, and re-infect hosts days after being blocked, according to ReliaQuest. \"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/deepload-ai-malware-obfuscation-at-every-stage-reliaquest\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers say credential-stealing campaign used AI to build evasion \u2018at every stage\u2019\"> <meta property=\"og:description\" content=\"DeepLoad logs keystrokes, buries details behind reams of AI-generated code, and re-infect hosts days after being blocked, according to ReliaQuest. \"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/deepload-ai-malware-obfuscation-at-every-stage-reliaquest\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-03-30T18:28:17+00:00\"> <meta property=\"article:modified_time\" content=\"2026-03-30T18:28:20+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1774626878g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1774625888g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1773271249g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88447\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88447\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fdeepload-ai-malware-obfuscation-at-every-stage-reliaquest%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fdeepload-ai-malware-obfuscation-at-every-stage-reliaquest%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88447 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/deepload-ai-malware-obfuscation-at-every-stage-reliaquest\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.869955156951\">\n<div class=\"single-article__header-content\" readability=\"37.371229698376\">\n<p> DeepLoad logs keystrokes, buries details behind reams of AI-generated code, and re-infect hosts days after being blocked, according to ReliaQuest. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88447\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.64132231405\"><body readability=\"70.336479010739\"><\/p>\n<p>A new malware-based credential-stealing campaign, which researchers are calling \u201cDeepLoad,\u201d has been infecting enterprise business IT environments over the past<\/p>\n<p>In a <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion\/\">report<\/a> released Monday, ReliaQuest AI researchers Thassanai McCabe and Andrew Currie say the most relevant feature of this attack is the way it uses artificial intelligence and other engineering \u201cto defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.\u201d<\/p>\n<p>DeepLoad is delivered to victims via \u201cQuickFix\u201d social-engineering techniques, such as fake browser prompts or error pages. If the user falls for the scheme, the malware developers \u2014 or more likely their AI tools \u2014 put a lot of work into building evasion of security technology \u201cat every stage\u201d of the attack chain.<\/p>\n<p>The loader \u201cburies functional code under thousands of meaningless variable assignments,\u201d and the payload runs behind a Windows lock screen process that is \u201coverlooked by security tools\u201d monitoring for threats. ReliaQuest said \u201cthe sheer volume\u201d of code padding likely rules out human-only involvement.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe assess with high confidence that AI was used to build this obfuscation layer,\u201d McCabe and Currie write. \u201cIf so, organizations should expect frequent updates to the malware and less time to adapt detection coverage between waves.\u201d<\/p>\n<p>DeepLoad can steal credentials through real-time keylogging, and even if security teams block the initial loader, it was able to persist through backup contingencies.<\/p>\n<p>\u201cIn the incidents we investigated, the loader spread to connected USB drives, which means the initial host is unlikely to be the only impacted system,\u201d McCabe and Currie wrote. \u201cEven after cleanup, a hidden persistence mechanism not addressed by standard remediation workflows re-executed the attack three days later.\u201d<\/p>\n<p>ReliaQuest\u2019s research offers more evidence that over the past year, some traditional static cybersecurity practices \u2014 such as searching for malware signatures or file-based patterns \u2014 may be fast becoming obsolete, as AI models can spin out endless variations of attack tooling with unique signatures.<\/p>\n<p>Other organizations like Google and Anthropic have been sounding the alarm that <a href=\"https:\/\/cyberscoop.com\/anthropic-ai-orchestrated-attack-required-many-human-hands\/\">AI-enhanced cyberattacks<\/a> are dramatically <a href=\"https:\/\/cyberscoop.com\/state-hackers-using-gemini-google-ai\/\">shrinking the time<\/a> defenders must respond to a compromise. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>At the RSA Conference in San Francisco this year, <a href=\"https:\/\/cyberscoop.com\/ai-cyberattacks-two-years-insane-vulnerabilities-kevin-mandia-alex-stamos-morgan-adamski-rsac-2026\/\">experts told CyberScoop<\/a> that the next two years are set to be a \u201cperfect storm\u201d favoring AI-powered offense, with cybercriminals and nation-states more quickly adapting the technology to add greater speed and scale to their attacks than their defensive counterparts.<\/p>\n<p>McCabe and Currie say the likely continued use of AI to frustrate static analysis monitoring means that defenders will need to shift focus to other indicators of compromise.<\/p>\n<p>\u201cBased on what we\u2019ve observed, organizations must prioritize behavioral, runtime detection\u2014not file-based scanning\u2014to catch this campaign (and similar ones) early,\u201d they wrote. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5251798561151\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/deepload-ai-malware-obfuscation-at-every-stage-reliaquest\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers say credential-stealing campaign used AI to build evasion \u2018at<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,384,2973,78,168,256,3560,310],"tags":[236,388,2975,86,169,262,3573,311],"class_list":["post-8476","post","type-post","status-publish","format-standard","hentry","category-ai","category-artificial-intelligence-ai","category-credential-theft","category-cybersecurity","category-malware","category-research","category-static-analysis","category-technology","tag-ai","tag-artificial-intelligence-ai","tag-credential-theft","tag-cybersecurity","tag-malware","tag-research","tag-static-analysis","tag-technology"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence-ai\/\" rel=\"category tag\">artificial intelligence (AI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/credential-theft\/\" rel=\"category tag\">credential theft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/static-analysis\/\" rel=\"category tag\">Static Analysis<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a>","tag_info":"Technology","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8476"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8476\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8476,"date":"2026-03-30T13:28:17","date_gmt":"2026-03-30T18:28:17","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88447"},"modified":"2026-03-30T13:28:17","modified_gmt":"2026-03-30T18:28:17","slug":"researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/03\/30\/researchers-say-credential-stealing-campaign-used-ai-to-build-evasion-at-every-stage\/","title":{"rendered":"Researchers say credential-stealing campaign used AI to build evasion \u2018at every stage\u2019"},"content":{"rendered":"