The National Information Technology Development Agency (NITDA) has warned that a new artificial‑intelligence‑enhanced malware, known as DeepLoad, is actively targeting Nigerian government agencies, financial institutions, businesses and individual users. The alert was issued on 6 May in an advisory from NITDA’s Computer Emergency Readiness and Response Team (CERRT.NG) and posted on the agency’s official X account.
According to the advisory, DeepLoad is a sophisticated strain that infiltrates computers, harvests credentials stored in major web browsers and uses AI techniques to evade traditional antivirus solutions. The malware is distributed through deceptive website prompts that appear as error messages, urging users to copy and paste commands into their systems. Once executed, the code silently installs itself, gathers sensitive data and establishes a hidden persistence mechanism based on Windows Management Instrumentation (WMI). This mechanism can reactivate the infection up to three days after an apparent removal, making eradication difficult.
NITDA highlighted several risks associated with a successful compromise. Cybercriminals could gain unauthorized access to bank accounts, mobile money services and payment cards, as well as steal passwords, documents and personal information. The stolen data may be employed for identity fraud or further financial crime. For organisations, infections could cause operational disruption, require full system isolation and remediation, and, in the case of government networks, threaten classified information and national security.
To mitigate the threat, NITDA issued a set of remedial measures for both individuals and organisations. Users are advised not to paste commands from websites, to avoid opening suspicious files—such as “Chrome Setup” or “Firefox Installer”—from USB drives, and to scan all external storage devices with up‑to‑date antivirus software. Enabling two‑factor authentication and refraining from storing banking passwords in browsers are also recommended.
Organisations should immediately raise awareness among staff about DeepLoad, enable PowerShell Script Block Logging on Windows machines, and audit browser extensions for unauthorised installations. Network defenses must block known malicious domains—including holiday‑updateservice[.]com, forest‑entity[.]cc and hell1‑kitty[.]cc—at the firewall and DNS levels, and check for hidden WMI Event Subscriptions that could sustain the malware after cleanup. In the event of a suspected infection, affected systems should be disconnected from the internet, passwords changed on clean devices, and incident‑response teams activated. Incidents must be reported to NITDA within 72 hours, as mandated by law.
The advisory underscores the rapid evolution of cyber threats in Nigeria and the need for swift, coordinated action to protect both public and private sector assets. NITDA’s warning serves as a reminder that vigilance, proper configuration and timely reporting are essential components of an effective cyber‑defence strategy.
