Dateline: June 17, 2026
BabaDeda, Lorem Ipsum, and Potemkin: ClickFix’s New Toolkit
Hackers do not always need to break in. Sometimes they just ask nicely. That is the idea behind ClickFix, a trick that gets people to run malicious commands on their own computers. Three separate security teams just found new examples of how far this trick has spread, and the malware behind it has gotten a lot more capable.
What Happened?
Morphisec, BlueVoyant, and Huntress each published research this month on ClickFix campaigns using three different loaders. Morphisec found BabaDeda Loader hitting education and financial organizations in April. It hides inside legitimate looking installers, checks if it is running on a security researcher’s machine or inside Russia or Belarus, then injects itself into a trusted Windows process to steal browser data, take screenshots, and run commands.
BlueVoyant tracked Lorem Ipsum Loader spreading through at least five hacked WordPress sites since February. Visitors see a fake Microsoft Edge update prompt, which runs a command that pulls in an old, outdated version of Node.js to launch the malware.
This loader has been linked to Rhysida ransomware. Huntress uncovered Potemkin, a loader that drops a remote access tool and a credential stealer capable of getting around Chrome’s built in protections for saved passwords. In one case, attackers used it to spread across more than a dozen machines and reach a company’s domain controller.
ClickFix is not slowing down either. Researchers have also seen the technique used to push fake installers for AI tools and a macOS focused data stealer, which shows attackers are willing to chase whatever topic gets people clicking fast. Apple has noticed too. The company recently added a new warning in macOS that pops up when someone tries to paste a command into Terminal from a website, chat app, or email.
The Impact All three loaders share the same starting point. A pop up or fake error message convinces someone to copy a command, paste it into their computer, and hit enter. From there, attackers can steal saved passwords, browsing history, and files, take over the machine remotely, or set the stage for a ransomware attack. Because the victim runs the command themselves, many antivirus tools never see anything unusual happen.
How to Avoid This
Train employees to never paste commands into Run, PowerShell, or Terminal windows just because a website or pop up tells them to. Block PowerShell execution policies for standard users where possible. Watch for DLL side loading and unusual child processes spawning from trusted apps like svchost.exe. Keep browsers and operating systems updated, since Apple’s new warning is a good signal but not a full fix. Most importantly, treat any urgent on screen fix as a red flag, not a shortcut.
Your Employees Are One Paste Away from a Breach
ClickFix attacks do not need a vulnerability. They need one distracted employee and thirty seconds. Secure.com helps security teams catch what slips past the human eye.
- Flags unusual PowerShell and command line activity before a loader can call home
- Connects scattered alerts so a single suspicious process triggers a full investigation, not just a ticket
- Surfaces DLL side loading and process injection patterns tied to loaders like BabaDeda and Potemkin
- Cuts the time it takes analysts to confirm whether a paste and run incident already escalated
- Gives security teams visibility across endpoints so one infected machine does not turn into a domain wide incident
