Multiple ClickFix social engineering campaigns are actively distributing three new malware loaders — BabaDeda, Lorem Ipsum, and Potemkin — targeting education and financial sectors. ClickFix tricks users into manually executing malicious commands by presenting fake error messages or software update prompts. The campaigns have been flagged by three independent security vendors, indicating broad and active threat actor interest in this delivery technique.

Security Architect’s Take: Review and tighten endpoint execution policies to block PowerShell and cmd invocations triggered from browser processes; consider deploying application control rules that prevent users from manually running scripts copied from web pages. Ensure security awareness training explicitly covers ClickFix-style lures, particularly for staff in education and finance verticals.

Original advisory: ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures