ClickFix Grows Into an Ecosystem: A New Wave of Loaders (BabaDeda, Lorem Ipsum, Potemkin) and the Convergence With EtherHiding

Summary
In mid-2026, three independent reports from Morphisec, BlueVoyant, and Huntress converged on the same point: ClickFix has stopped being a one-off social engineering trick and become the delivery gateway for a whole new generation of loaders — BabaDeda Loader, Lorem Ipsum Loader, and Potemkin — pulling in stealers, RATs, and pre-ransomware tooling. The same simple lure ("press Win+R, paste this, hit Enter") now feeds highly modular multi-stage chains that separate delivery, payload storage, execution, and deployment into distinct components.
The most notable development is the convergence with EtherHiding: EtherRAT, the Node.js backdoor observed in the Potemkin campaign, hardcodes no C2 address and instead reads it from a smart contract on the Ethereum blockchain — making infrastructure takedown nearly impossible by conventional means.
One detail matters for defenders: the pivot to ClickFix is partly a reaction to a defender win. After Microsoft dismantled Fox Tempest's malware-signing service, the Lorem Ipsum operators lost their supply of signing certificates and were forced onto a delivery model that drops code signing entirely. Attackers adapt faster than we patch.
What ClickFix is, and why it still works
ClickFix tricks users into running attacker-supplied commands through trusted OS utilities (User Execution — MITRE ATT&CK T1204). A victim hits a website, gets a fake verification or CAPTCHA-style prompt, and is told to open the Run dialog (Win+R), paste a PowerShell command, and press Enter.
As Huntress notes, ClickFix works because it exploits human nature — people follow a clear, authoritative-looking instruction. The social engineering doesn't need to be sophisticated; it just needs to look like a legitimate troubleshooting step, and usually that's enough.
The technique has spread beyond Windows. ClickFix now delivers Phexia Stealer (a macOS infostealer) and rides the AI hype to push fake MSI installers for AI tools. Apple has added a security pop-up in macOS Tahoe 26.4 warning users who paste commands into Terminal from an outside source.
The new loader wave
BabaDeda Loader — reborn and built to hide
During April 2026, Morphisec blocked multiple intrusion attempts against education and financial organizations and uncovered a substantially evolved version of the BabaDeda loader family. The link to older BabaDeda infrastructure (first documented by Morphisec in November 2021, tied to a crypto/Web3 campaign distributing stealers, RATs, and LockBit ransomware) was established through code genome analysis: the loader contains a task handler that launches a workflow named BABADEDA and embeds the constant 0xBABADEDA.
The reborn version expands in three ways that matter to defenders:
Modular staging — delivery, storage, execution, and payload deployment are split into separate components, each benign-looking in isolation.
External payload storage — the real payload lives inside an ordinary-looking file such as
List.Control.dat, kept away from the most visible executable, and only the needed bytes are XOR-decoded seconds before execution.In-memory execution — Donut/pe2shc-style loaders map and run code directly in memory rather than dropping a clean executable to disk. The chain begins when a victim hits a fake verification/CAPTCHA prompt and runs a PowerShell command. The loader checks region and quits on Russian or Belarusian systems, pulls follow-on payloads over plain HTTP, and injects them into a trusted process like
svchost.exe. One branch delivers a .NET backdoor and stealer (harvesting cookies, credentials, and files on demand). Another downloadslinguist.zip— roughly 30 files disguised as real software — using DLL side-loading to read the payload from an external storage file and hand off to DanaBot and SectopRAT (ArechClient).
Lorem Ipsum Loader — a pivot forced by lost certificates
BlueVoyant tracked a campaign using at least five compromised WordPress sites as the starting point to deliver a nascent loader and backdoor dubbed Lorem Ipsum Loader (active since February 2026). The notable element is the pivot: the operators previously delivered trojanized Microsoft Teams installers through fake download portals promoted via SEO poisoning and malvertising — and have now switched to ClickFix lures.
The shift is attributed to Microsoft's disruption of Fox Tempest (Forging Marauder), a threat actor selling malware-signing-as-a-service using fraudulent Microsoft Trusted Signing certificates. The loss of certificate supply rendered the signed-installer model unviable, forcing the operators to adopt delivery that eliminates code signing entirely.
The Lorem Ipsum chain uses a fake "Edge browser security update" lure to download a ZIP plus an outdated Node.js 7.10.1 (2017) to execute JavaScript payloads while minimizing detection. The JS acts as a dropper, sets up persistence via a DLL side-loading chain (mscoree.dll or msvcp140.dll — T1574.002), decodes the Lorem Ipsum Loader, and retrieves a later-stage backdoor from C2 obtained from attacker-controlled social media profiles. The ecosystem is attributed with high confidence to Vanilla Tempest (aka Rapid Brigantine, Vice Society, Vice Spider), a financially motivated actor known for deploying Rhysida, BlackCat, Zeppelin, and Quantum Locker ransomware.
Potemkin + RMMProject + EtherRAT — from one pasted command to the whole network
In May 2026, Huntress handled a ClickFix case that became a hands-on-keyboard intrusion spanning over 11 hosts. The victim ran a Run-dialog command abusing pcalua.exe as a LOLBIN to proxy mshta.exe (T1218.005), fetching a remote HTA payload; the HTA used curl to pull an MSI and ran it silently via msiexec /qn.
Potemkin is a custom x64 loader, persisted via a Run key, that uses a Domain Generation Algorithm (T1568.002) to find its C2: an XorShift32 routine with a fixed seed (151678 in this build) generates 10,000 .xyz domains from a 1,000-word dictionary, probing each in order until one answers "ok" at /api/client_hello:443. Because the seed is fixed, the entire domain set can be precomputed and blocklisted — a weakness defenders can exploit. Potemkin identifies the host with a UUID written to %LOCALAPPDATA%\hyper-v.ver, then reflectively loads its next module in memory. Its entire command vocabulary is a single task code, 1015 — it exists to deliver RMMProject.
RMMProject is a 4.4 MB RAT embedding a LuaJIT engine with 15 task types: credential/cookie theft across Chrome, Firefox, and Edge; a hidden-desktop remote control module (RTSC); process injection; and runtime module loading. Most notable is its Chrome App-Bound Encryption (ABE) bypass: it embeds a 4,608-byte helper DLL (XOR 0x5A), spawns a hidden chrome.exe/msedge.exe, and injects that DLL to inherit Chrome's application identity, calling the IElevator COM interface to decrypt the master key and read Cookies/Login Data (SQLite) for AES-GCM decryption. Firefox is handled separately via NSS, ASN.1, and PBKDF2 + 3DES-CBC.
EtherRAT handles takedown resilience. It's a Node.js backdoor that resolves its C2 from the blockchain (see next section). With footholds set, the attacker shifted to hands-on-keyboard work: killing Defender in layers (AMSI patch, registry policies, Set-MpPreference, stopping WinDefend/wscsvc/SecurityHealthService), adding an exclusion path C:\ProgramData\p, deploying Chisel reverse SOCKS, opening a Cloudflare tunnel (cloudflared renamed to svchost.exe), and spreading laterally via WMIExec/SMBExec (Impacket) to the domain controller, spraying EtherRAT across the network.
The EtherHiding convergence: C2 anchored on the blockchain
EtherHiding hides and resolves the C2 address through a smart contract on a public blockchain — a form of dead-drop resolver (T1102). EtherRAT illustrates it cleanly: instead of a hardcoded domain, it issues eth_call requests across seven public Ethereum RPC providers (Tenderly, Flashbots, MEV Blocker, BlastAPI, PublicNode, dRPC, Merkle) to a known contract, decodes the ABI-encoded string returned, and checks that it looks like an http(s)/ws(s) URL. In the Huntress sample, contract 0xb3f2897f2bc797e5b9033faef8c81e92b01cb831 returned the live C2 resumeacceptable[.]com.
The power lies here: to move the entire botnet, the operator sends a single cheap transaction updating the value stored in the contract, and every infected host picks up the new C2 on its next poll. There is no fixed domain or IP to sinkhole; "taking it down" means contending with the blockchain itself.
EtherHiding isn't an isolated case. The same technique family includes the HellsUchecker backdoor (delivered via ClickFix + EtherHiding) and the OCRFix botnet hiding C2 in BNB Smart Chain contracts. EtherRAT has also previously appeared in a campaign assessed as North Korea-linked (exploiting React2Shell), though the Huntress ClickFix/Potemkin case remains unattributed.
IOCs
Source: Huntress report (Potemkin/RMMProject/EtherRAT campaign). See the original for the full set, including all 10,000 DGA domains.
| Indicator | Description |
|---|---|
2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b |
SHA256 — Potemkin Loader (RunSearch.exe) |
3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881ce |
SHA256 — RMMProject (avast_update.bin) |
79f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b |
SHA256 — inst24.msi (drops Potemkin) |
2ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3a |
SHA256 — cons_1.0.1.msi (delivers EtherRAT) |
77.110.122[.]58 |
Primary C2 / staging |
213.165.41[.]26 |
Chisel reverse SOCKS server |
cl.distritovagas[.]com |
ClickFix HTA-serving domain |
anus-staylard[.]xyz |
Potemkin/RMMProject DGA C2 |
0xb3f2897f2bc797e5b9033faef8c81e92b01cb831 |
Ethereum smart contract (EtherHiding) |
resumeacceptable[.]com |
EtherRAT C2 resolved from blockchain |
%LOCALAPPDATA%\hyper-v.ver |
Potemkin victim-UUID file |
Assessment
What's concerning isn't any single technique — most are familiar — but how they're modularized and reassembled into an assembly line. When delivery, storage, execution, and payload are separated, no individual piece looks malicious enough to block, and the real payload only exists in usable form in memory, seconds before it runs. File-and-signature detection is structurally late.
Two trends are worth tracking. First, the adaptation loop: every time defenders win a round (dismantling Fox Tempest, revoking signing certificates), attackers immediately change their delivery model — here, falling back to ClickFix, which requires no signing at all. Second, blockchain as a durable C2 layer: EtherHiding turns command infrastructure into something that can't be sinkholed, shifting the defensive center of gravity from "block the domain/IP" to "detect anomalous blockchain RPC queries from endpoints." Both point the same way: the advantage now sits with endpoint coverage and behavioral detection, not static IOC lists.
Recommendations
Disable the Run dialog (Win+R) via Group Policy — the most direct mitigation, since ClickFix depends on the user pasting a command there.
Close endpoint-coverage gaps: every networked workstation and server needs an EDR agent; the Huntress case escalated from 1 to 11 hosts precisely because the entry point was unmonitored.
Enable tamper protection and high-fidelity alerts on
Stop-Service WinDefend,sc.exe config WinDefend start= disabled, and bulk exclusion-path /Set-MpPreferencecommands.Alert on
cloudflared(including renamed copies) and Chisel binaries; hunt for randomly named Run keys / scheduled tasks andeth_callqueries to Ethereum/BNB RPC endpoints originating from internal hosts.
References
ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures — The Hacker News
What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign — Morphisec
Lorem Ipsum Revisited: ClickFix Pivot & Rapid Brigantine — BlueVoyant
Lorem Ipsum Malware: Trojanized MS Teams Installers… — BlueVoyant
Potemkin Loader & RMMProject: The Anatomy of a ClickFix Attack — Huntress
Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign — The Hacker News
North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware — The Hacker News
HellsUchecker: ClickFix to blockchain-backed backdoor — Derp





