NITDA Warns of AI‑Powered DeepLoad Malware Targeting Nigerian Banks and Government

TL;DR: NITDA warns of a new AI‑powered malware called DeepLoad that steals browser data and evades antivirus. It can give attackers access to bank accounts, mobile money services and classified networks.

Context: The National Information Technology Development Agency issued the warning after detecting active infections in financial institutions, government agencies and private users across Nigeria. The malware is delivered when users paste unverified links or commands into their browser, a tactic NITDA explicitly cautioned against. Once executed, DeepLoad installs itself without user interaction.

Key Facts: DeepLoad harvests stored passwords, personal data and documents from browsers, enabling criminals to impersonate victims for fraud. NITDA states the infection can lead to unauthorized access to bank accounts, mobile money wallets and payment cards, facilitating direct financial theft. The agency also warns that stolen credentials allow threat actors to disrupt organizational workflows and compromise classified government networks, posing a national‑security risk. Technical analysis shows the malware uses AI‑based polymorphism to alter its signature each infection, helping it bypass traditional antivirus engines. Observed tactics align with MITRE ATT&CK techniques T1056 (Input Capture), T1003 (OS Credential Dumping) and T1027 (Obfuscated/Stored Files). No specific CVE has been published yet, but the malware leverages living‑off‑the‑land binaries to execute payloads.

What It Means: Organizations should treat any unexpected browser credential prompts as suspicious and enforce multi‑factor authentication on all financial and government accounts. Security teams must update endpoint detection and response (EDR) rules to flag AI‑driven polymorphic behavior and block execution of unknown scripts from browser consoles. Applying the latest browser patches, disabling unnecessary extensions, and enforcing strict clipboard‑access policies reduce the infection vector. Continuous monitoring for outbound connections to known malicious IP ranges and reviewing credential‑dumping alerts are essential.

What to watch next: NITDA indicates it will publish detailed IOCs and mitigation guidance within the week; defenders should prepare to integrate those signatures and watch for emerging variants that target additional sectors.