ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

Cybersecurity researchers have identified multiple ClickFix campaigns employing three new malware loaders: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. Morphisec, BlueVoyant, and Huntress independently reported on these findings. BabaDeda Loader, observed in April 2026, has been used to target organizations in the education and financial sectors. This loader was previously known for its use of "living off the land" techniques, leveraging legitimate system tools to evade detection. The ClickFix campaigns utilize fake update lures, such as deceptive "update required" pop-ups, to trick users into downloading and executing the malicious payloads. These social engineering tactics are designed to exploit user trust and urgency, making them a persistent threat. The campaigns aim to deliver a range of malware, potentially including ransomware, information stealers, and backdoors, depending on the attacker's objectives. The emergence of these new loaders indicates an evolving threat landscape, with attackers continuously developing new methods to bypass security measures and infiltrate target networks. The use of multiple loaders suggests a strategy to diversify attack vectors and increase the likelihood of successful compromise.