BlueVoyant and other researchers reported that the Lorem Ipsum malware operation abandoned Trojanized Microsoft Teams installers signed with fraudulent Microsoft Trusted Signing certificates and moved to ClickFix lures hosted on compromised WordPress sites. The change followed Microsoft’s disruption of the Fox Tempest malware-signing-as-a-service ecosystem and revocation of more than 1,000 fraudulently obtained certificates, which undercut the group’s earlier delivery method. BlueVoyant assessed with high confidence that the activity is tied to Rapid Brigantine—also tracked as Vanilla Tempest, DEV-0832, and Vice Society—a financially motivated actor linked to ransomware and data extortion.
The updated infection chain uses fake browser updates or CAPTCHA-style prompts to socially engineer victims into running malicious commands, expanding targeting beyond users searching for fake Teams downloads. Researchers said the malware relies on a multistage loader, DLL sideloading, encrypted payloads, and dead-drop command-and-control through LetsDiskuss[.]com, while parallel ClickFix campaigns have also delivered loaders such as BabaDeda, Potemkin, and GULoader using in-memory execution and remote DLL loading via rundll32.exe. The reporting underscores ClickFix as a durable initial-access technique on compromised websites that can lead to stealers, RATs, remote management tools, and hands-on-keyboard post-compromise activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Apple added a warning in macOS Tahoe 26.4 about pasting commands into Terminal in response to the durability of ClickFix-style social engineering. The change was highlighted as a defensive response affecting macOS users.
Researchers reported multiple ClickFix-driven malware campaigns in 2026 delivering BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. The campaigns used social engineering to get users to run malicious commands and then deployed modular loaders for stealers, RATs, and follow-on tooling.
BlueVoyant assessed with high confidence that the Lorem Ipsum activity is linked to Rapid Brigantine, also known as Vanilla Tempest, DEV-0832, and Vice Society. The reporting described the actor as financially motivated and associated with ransomware and data extortion activity.
In late May 2026, the Lorem Ipsum campaign pivoted from signed fake Teams installers to ClickFix lures hosted on compromised WordPress sites. The new chain used fake browser update prompts and socially engineered PowerShell execution to silently install the malware and broaden the victim pool.
Microsoft disrupted the Fox Tempest malware-signing-as-a-service infrastructure and revoked more than 1,000 fraudulently obtained certificates. BlueVoyant said this action made Lorem Ipsum's prior signed-installer delivery method impractical.
BlueVoyant reported that the Lorem Ipsum malware campaign initially delivered trojanized Microsoft Teams installers signed with fraudulent Microsoft Trusted Signing certificates. This earlier delivery method targeted users seeking fake Teams downloads before the operators changed tactics.
Sicuranext documented a campaign first observed in April 2026 that used compromised WordPress sites, EtherHiding on the BNB Smart Chain Testnet, and a fake CAPTCHA ClickFix lure to trick Windows users into executing a malicious rundll32 command. The infrastructure was attributed to GULoader and designed to execute malware in memory while evading SmartScreen and antivirus tools.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethehackernews.com
Open sourcebluevoyant.com
Open sourcedarkreading.com
Open sourcebluevoyant.com
Open sourcecookie.engineer
Open sourcesocura.co.uk
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.