MalwareRansomwareUsed by 2 actors

Lorem Ipsum

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Vanilla Tempest

Microsoft's disruption of malware-signing-as-a-service provider Fox Tempest last month has forced the operators of the Lorem Ipsum shellcode loader and backdoor to abandon their delivery method of Trojanized Microsoft Teams installers in favor of ClickFix lures.

via dark readingdarkreading.com

Rapid Brigantine

via dark readingdarkreading.com

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques

T1584.001DomainsEvidence1

For the new ClickFix delivery model, Lorem Ipsum's operator is currently using at least five legitimate but compromised WordPress websites to host its ClickFix lures.

T1608.006SEO PoisoningEvidence1

The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence1

An injected iframe on the website displays a fake browser update notification about the user's browser being out of date.

Execution

2 techniques

T1059.001PowerShellEvidence1

Running that command silently downloads and executes the Lorem Ipsum malware in the background while displaying a fake success message

T1204.003Malicious ImageEvidence1

the pop-op instructs the user to paste a provided PowerShell command, disguised as a Microsoft Edge security intelligence update, into their Windows Terminal.

Stealth

1 technique

T1036MasqueradingEvidence1

The Lorem Ipsum campaign initially relied on SEO poisoning to lure users into downloading Trojanized Microsoft Teams installers signed with valid Microsoft Trusted Signing certificates.

Command and Control

1 technique

T1102.001Dead Drop ResolverEvidence1

abused the legitimate Indian blogging platform LetsDiskuss[.]com as a dead-drop to retrieve C2 server addresses.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

dark readingNews

Jun 16, 2026

'Lorem Ipsum' Malware Pivots to ClickFix Delivery

A multistage shellcode loader and backdoor delivered first via Trojanized Microsoft Teams installers and later via ClickFix lures on compromised WordPress sites. It uses DLL sideloading, encrypted payloads, and a dead-drop C2 mechanism via LetsDiskuss[.]com to retrieve command-and-control server addresses, and assigns unique identifiers to track victim infections.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.