Recent reports from cybersecurity firms Morphisec, BlueVoyant, and Huntress highlight advanced ClickFix campaigns deploying three new malware loaders: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. These campaigns are notable for their sophisticated methods of distribution and payload delivery.
Enhanced Malware Techniques with BabaDeda Loader
In April 2026, BabaDeda Loader attacks surfaced, targeting sectors such as education and finance. Initially discovered by Morphisec, BabaDeda Loader has evolved from hiding malicious content in legitimate installer packages to employing stealthier and more flexible delivery mechanisms. Attacks start with ClickFix social engineering attempts that trick victims into running PowerShell commands. The loader subsequently deploys information stealers and remote access trojans (RATs) using techniques like hidden PowerShell and in-memory shellcode.
The BabaDeda service dates back to November 2021 when it targeted cryptocurrency and Web3 sectors. The loader identifies its host environment, avoids Russian and Belarusian systems, and checks for security products before injecting its payload into trusted Windows processes like ‘svchost.exe.’ This advanced malware can collect system data, browser artifacts, and execute commands, all while maintaining an encrypted connection to a command-and-control (C2) server.
Lorem Ipsum Loader Targets Compromised WordPress Sites
Another ClickFix campaign involves the Lorem Ipsum Loader, which utilizes compromised WordPress sites across various sectors to deliver its payload. This shift marks a departure from previous methods that used trojanized Microsoft Teams installers promoted through malvertising. The loader has been active since February 2026, adapting its delivery strategy following Microsoft’s disruption of a malware-signing service, Fox Tempest.
BlueVoyant researchers note that the new delivery mechanism involves downloading a ZIP file and an outdated Node.js version to execute JavaScript payloads. The Lorem Ipsum Loader retrieves further backdoor stages from C2 servers, facilitating the deployment of ransomware like Rhysida and BlackCat by the threat actor known as Vanilla Tempest.
Potemkin Loader and Its Advanced Capabilities
The Potemkin loader, part of a third sophisticated campaign, is deployed via an MSI package and an HTML Application (HTA) payload. This loader enables the execution of EtherRAT and RMMProject, which can control screens and steal browser credentials. Huntress researchers discovered Potemkin’s use of a domain generation algorithm for C2 communication, enhancing its resistance to detection.
The attackers conduct hands-on activities such as configuring Microsoft Defender exclusions and setting up network tunnels for persistent access. This campaign, like others, showcases the adaptability of threat actors in maintaining operations despite defensive efforts.
ClickFix remains a potent method for distributing malware, exploiting human behavior through deceptive instructions. Apple’s recent macOS update aims to mitigate these risks by alerting users to potentially harmful Terminal commands, underscoring the need for vigilance against evolving cyber threats.
