Cybersecurity threats continue to evolve as researchers identify multiple active ClickFix campaigns distributing sophisticated malware loaders through deceptive tactics. Independent reports from leading security firms including Morphisec, BlueVoyant, and Huntress have revealed the emergence of three distinct malware loaders being deployed by these campaigns, highlighting the expanding capabilities of threat actors in the current threat landscape.
The ClickFix campaigns are leveraging three primary malware loaders: BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, each representing different approaches to bypassing security measures and establishing persistence on compromised systems. BabaDeda Loader, specifically observed in April 2026, has demonstrated particular focus on targeting organizations within the education and financial sectors. This selective targeting suggests that threat actors are strategically pursuing sectors that often contain valuable sensitive data while potentially having varying levels of cybersecurity maturity.
What makes these ClickFix campaigns particularly concerning is their use of fake update lures to trick users into inadvertently executing malicious code. These social engineering techniques exploit users' trust in system notifications and software updates, effectively bypassing many technical security