Researchers have uncovered multiple ClickFix campaigns distributing the BabaDeda Loader, Lorem Ipsum Loader, and Potemkin loader to deliver stealers, RATs, and backdoors through deceptive PowerShell and browser-update lures. The campaigns show how threat actors are rapidly adapting delivery methods, leveraging compromised websites, DLL side-loading, and staged loaders to evade detection and expand post-exploitation access. #BabaDedaLoader #LoremIpsumLoader #Potemkin #DanaBot #SectopRAT #VanillaTempest #FoxTempest #RapidBrigantine #Rhysida #EtherRAT #RMMProject
Keypoints
- BabaDeda Loader uses ClickFix and PowerShell to drop stealers and RATs.
- It hides payloads, evades security checks, and injects into trusted Windows processes.
- Lorem Ipsum Loader spreads through compromised WordPress sites and fake browser update lures.
- Potemkin delivers EtherRAT and RMMProject, then supports DGA-based C2 and in-memory loading.
- ClickFix remains effective because it tricks users into pasting malicious commands themselves.
Read More: https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html