ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

ClickFix campaigns have expanded their malware delivery infrastructure with three new loaders identified by separate security firms. Morphisec, BlueVoyant, and Huntress each documented distinct malware families: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, all distributed through ClickFix social engineering tactics.

BabaDeda Loader emerged in April 2026 and primarily targets education and financial institutions. The loader functions as a first-stage payload delivery mechanism, establishing persistence and downloading secondary malware onto compromised systems.

ClickFix campaigns rely on deceptive browser pop-ups and fake system update prompts that trick users into executing malicious scripts or installers. Attackers impersonate legitimate tech support or operating system vendors, creating urgency around false security warnings. The technique remains effective because it exploits human behavior rather than software vulnerabilities.

The introduction of multiple loaders demonstrates that threat actors behind ClickFix have invested in modular malware infrastructure. Each loader variant likely serves different objectives. BabaDeda focuses on the education and financial sectors, while Lorem Ipsum and Potemkin may target alternative verticals or deliver specialized payloads like information stealers, banking trojans, or ransomware downloaders.

Organizations face a two-fold threat. End users require training to recognize fake update prompts and suspicious pop-ups, particularly those claiming immediate action is required. Technical controls should block suspicious script execution and monitor for unexpected child processes spawned from browsers or update mechanisms.

Security teams should implement application whitelisting, disable scripting languages like PowerShell in restricted execution contexts, and enforce multi-factor authentication to contain lateral movement if a device becomes infected. Network segmentation limits damage when loaders successfully establish footholds.

The expansion of ClickFix infrastructure indicates sustained demand for commodity malware delivery services.