Malware Activity
ClickFix Campaigns Evolve to Deliver New Malware Loaders and Enable Ransomware Intrusions
Cybersecurity researchers have identified multiple active ClickFix campaigns delivering newly documented malware loaders (BabaDeda Loader, Lorem Ipsum Loader, and Potemkin) highlighting the continued effectiveness and evolution of ClickFix social engineering attacks. The campaigns rely on deceptive prompts that trick users into executing malicious PowerShell commands, ultimately deploying information stealers, RATs, and ransomware-related tooling. BabaDeda Loader, linked to the long-running BabaDeda crypter service, targets education and financial organizations using stealth techniques such as in-memory shellcode execution, DLL side-loading, and externally stored payloads to deliver stealers and backdoors capable of extensive data theft and remote control. Separately, compromised WordPress sites are being used to distribute Lorem Ipsum Loader, which has been attributed with high confidence to the financially motivated threat actor Vanilla Tempest (also known as Rapid Brigantine/Vice Society) and serves as a precursor to ransomware deployments including Rhysida. A third campaign leverages the Potemkin loader to deploy EtherRAT and RMMProject, enabling browser credential theft, remote access, lateral movement, and persistent access through tools such as Cloudflare Tunnel and Chisel. Researchers note that these campaigns illustrate a broader trend toward modular malware ecosystems that separate delivery, storage, execution, and payload deployment, while underscoring the enduring success of ClickFix as an initial access technique that exploits user trust rather than software vulnerabilities.
Threat Actor Activity
French Firm Attacked by Hacker Using Agents to Auto-Reconnect to Server After C2 Cut Off
A French-speaking attacker, nicknamed “Poisson,” hacked a small French automotive business, planted a simple Python keylogger, and stole banking and email credentials. The intrusion used an in-memory Havoc Demon implant chain launched via VBScript and PowerShell, persistence through a high-privilege scheduled task and shellcode in Explorer.exe, plus a custom RustDesk backup channel. Poisson installed later installed OpenSSH Server and Tailscale, joined the victim machine to his private Tailscale network, and set up key-based SSH with a reverse tunnel. When his Havoc command-and-control (C2) server went offline, Tailscale access remained allowing agents to reconnect automatically eighteen (18) days later when C2 returned back online. Despite sloppy tradecraft such as leaking his home directory, naming buckets after his handle, and failing many other actions, he still compromised four (4) machines. CTIX Analysts recommend organizations and defenders to hunt for quiet persistence like OpenSSH, Tailscale, suspicious scheduled tasks, and powercfg changes rather than assuming killing C2 equals remediation. Attackers can still use legitimate, signed tools to outlive C2 takedowns.
Vulnerabilities
Actively Exploited Joomla JCE Vulnerability Added to CISA KEV as Automated Attacks Deploy Persistent Web Shells
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to urgently patch an actively exploited critical vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin. The flaw, tracked as
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
