MalwareRansomwareUsed by 4 actors

Lorem Ipsum

Also known asLorem Ipsum BackdoorLorem Ipsum Loader

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Vanilla Tempest

The Lorem Ipsum Loader is designed to retrieve the next-stage Lorem Ipsum Backdoor from C2 infrastructure obtained from attacker-controlled profiles hosted on social networking platforms. | The Click Fix technique has also been observed in an active campaign that uses at least five compromised WordPress sites as a starting point to deliver a nascent loader, and backdoor codenamed Lorem Ipsum Loader.

via the hacker newsthehackernews.com

Rapid Brigantine

via the hacker newsthehackernews.com

Fox Tempest

The Click Fix technique has also been observed in an active campaign that uses at least five compromised WordPress sites as a starting point to deliver a nascent loader, and backdoor codenamed Lorem Ipsum Loader.

via the hacker newsthehackernews.com

Forging Marauder

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

3 techniques

T1584.001DomainsEvidence1

For the new ClickFix delivery model, Lorem Ipsum's operator is currently using at least five legitimate but compromised WordPress websites to host its ClickFix lures.

T1584.006Web ServicesEvidence1

...an active campaign that uses at least five compromised WordPress sites as a starting point to deliver a nascent loader...

T1608.006SEO PoisoningEvidence1

The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence1

An injected iframe on the website displays a fake browser update notification about the user's browser being out of date.

Execution

3 techniques

T1059.001PowerShellEvidence1

Running that command silently downloads and executes the Lorem Ipsum malware in the background while displaying a fake success message

T1059.007JavaScriptEvidence1

...downloads a ZIP file and an outdated version of Node.js released in 2017 (version 7.10.1) to execute JavaScript-based payloads present within the archive...

T1204.003Malicious ImageEvidence1

the pop-op instructs the user to paste a provided PowerShell command, disguised as a Microsoft Edge security intelligence update, into their Windows Terminal.

Persistence

1 technique

T1547Boot or Logon Autostart ExecutionEvidence1

...including a batch script that sets up persistence by launching a DLL side-loading chain to execute a malicious DLL...

Privilege Escalation

1 technique

T1547Boot or Logon Autostart ExecutionEvidence1

...including a batch script that sets up persistence by launching a DLL side-loading chain to execute a malicious DLL...

Stealth

1 technique

T1036MasqueradingEvidence1

The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates.

Command and Control

2 techniques

T1102.001Dead Drop ResolverEvidence1

abused the legitimate Indian blogging platform LetsDiskuss[.]com as a dead-drop to retrieve C2 server addresses.

T1105Ingress Tool TransferEvidence1

The Lorem Ipsum Loader is designed to retrieve the next-stage Lorem Ipsum Backdoor from C2 infrastructure...

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Jun 16, 2026

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

A JavaScript-delivered loader/backdoor distributed through compromised WordPress sites and ClickFix lures. It uses an outdated Node.js runtime, establishes persistence through DLL side-loading, decodes an embedded payload, and retrieves the next-stage Lorem Ipsum Backdoor from attacker-controlled social-network profiles and C2 infrastructure.

dark readingNews

Jun 16, 2026

'Lorem Ipsum' Malware Pivots to ClickFix Delivery

A multistage shellcode loader and backdoor delivered first via Trojanized Microsoft Teams installers and later via ClickFix lures on compromised WordPress sites. It uses DLL sideloading, encrypted payloads, and a dead-drop C2 mechanism via LetsDiskuss[.]com to retrieve command-and-control server addresses, and assigns unique identifiers to track victim infections.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.