The National Information Technology Development Agency (NITDA) has issued an urgent cybersecurity advisory warning Nigerians about a dangerous new artificial intelligence-powered malware known as “DeepLoad,” which is reportedly targeting government agencies, financial institutions, businesses, and individuals across the country.
The warning was issued on May 6 through the agency’s Computer Emergency Readiness and Response Team, CERRT.NG, and shared via NITDA’s official X account.
The alert comes amid rising cyber threats against Nigerian institutions, including recent attacks affecting the Corporate Affairs Commission and private financial service providers.
How DeepLoad Works
According to NITDA, DeepLoad is an advanced malware strain enhanced with artificial intelligence capabilities that enable it to infiltrate systems, steal sensitive information, and evade traditional antivirus detection systems.
The malware reportedly spreads through deceptive website prompts that trick users into copying and executing malicious commands on their computers.
“The malware is distributed through a social engineering technique involving fake website error,” NITDA stated in the advisory.
Once activated, DeepLoad silently installs itself on infected devices and begins harvesting stored credentials and sensitive information from major web browsers.
NITDA explained: “Once executed, DeepLoad silently installs itself, harvests stored credentials and sensitive data from major browsers, and leverages artificial intelligence to evade antivirus detection.”
One of the malware’s most dangerous features is its persistence mechanism. According to the agency, DeepLoad can survive attempted cleanup operations through a hidden Windows Management Instrumentation (WMI)-based reactivation system.
“Critically, the malware incorporates a hidden WMI-based persistence mechanism capable of reactivating the infection up to three days after apparent removal,” the advisory noted.
Potential Impact on Nigerians
NITDA warned that the malware poses serious risks to individuals, businesses, and government institutions.
According to the agency, attackers could gain unauthorised access to:
- Bank accounts
- Mobile money platforms
- Payment cards
- Stored browser passwords
- Sensitive documents
- Personal identity information
The agency added that stolen information could be used for identity theft and financial fraud.
For organisations, infections may result in operational shutdowns, system isolation procedures, and expensive remediation efforts. Government systems could also face risks involving classified information and national security exposure.
Safety Measures Recommended by NITDA
To reduce exposure to DeepLoad, NITDA advised Nigerians to:
- Avoid copying and pasting commands from websites into their systems
- Refrain from opening suspicious installer files such as “Chrome Setup” or “Firefox Installer” from USB drives
- Scan external storage devices with antivirus software before use
- Enable two-factor authentication on important accounts
- Avoid storing banking passwords directly in browsers
For organisations, the agency recommended:
- Immediate staff awareness campaigns
- Enabling PowerShell Script Block Logging on Windows systems
- Reviewing browser extensions for suspicious installations
- Blocking malicious domains including:
- holiday-updateservice[.]com
- forest-entity[.]cc
- hell1-kitty[.]cc
- Checking for hidden WMI Event Subscriptions that may allow reinfection
NITDA also instructed institutions that suspect compromise to immediately disconnect affected systems from the internet, isolate infected devices, reset passwords from clean devices, activate incident response protocols, and report incidents to the agency within 72 hours.
The latest warning adds to growing concerns over cyber attacks targeting Nigeria’s digital infrastructure.
In April, the Nigeria Data Protection Commission warned about coordinated cyber threats targeting the country’s financial systems and key digital infrastructure.
The commission also launched investigations into an alleged data breach involving Remita Payment Services and Sterling Bank.
Separately, the Corporate Affairs Commission temporarily shut down its website between April 17 and April 20 following reports that approximately 25 million documents may have been exfiltrated during a suspected cyber attack.
