Malware

Potemkin

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

2 techniques

T1218.005MshtaEvidence1

...installs an MSI package, which then drops a previously undocumented loader codenamed Potemkin via an HTML Application (HTA) payload.

T1620Reflective Code LoadingEvidence1

Potemkin loader is a "custom x64 loader that uses a domain generation algorithm to find its C2 and reflectively loads follow-on modules in memory,"

Command and Control

2 techniques

T1105Ingress Tool TransferEvidence1

The Lorem Ipsum Loader is designed to retrieve the next-stage Lorem Ipsum Backdoor from C2 infrastructure...

T1568.002Domain Generation AlgorithmsEvidence1

Potemkin loader is a "custom x64 loader that uses a domain generation algorithm to find its C2..."

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Jun 16, 2026

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

A custom x64 loader delivered via MSI and HTA that uses a domain generation algorithm to locate C2, writes a UUID to disk for victim identification, polls for tasks, retrieves DLLs, and reflectively loads follow-on modules in memory while protecting communications with a custom byte cipher.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.