MalwareRansomwareUsed by 1 actor

BabaDeda Loader

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BabaDeda

Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader, Lorem Ipsum Loader, and Potemkin... Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059.001PowerShellEvidence1

The starting point of the attacks is a ClickFix social engineering attack that deceives users into running attacker-supplied PowerShell commands to deliver the loader...

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

The loader is designed to profile the host... before retrieving the main payload and injecting it into a trusted Windows process such as "svchost.exe."

Stealth

4 techniques

T1036MasqueradingEvidence1

Earlier BabaDeda activity was known for concealing malicious payloads inside legitimate looking installer packages...

T1055Process InjectionEvidence1

The loader is designed to profile the host... before retrieving the main payload and injecting it into a trusted Windows process such as "svchost.exe."

T1497.001System ChecksEvidence1

The loader is designed to profile the host, avoid running on Russian or Belarusian systems, and perform security product-related checks...

T1620Reflective Code LoadingEvidence1

...used to drop information stealers and remote access trojans (RATs) by combining well-known techniques like hidden PowerShell, in-memory shellcode, DLL side-loading, and external payload storage.

Discovery

1 technique

T1497.001System ChecksEvidence1

The loader is designed to profile the host, avoid running on Russian or Belarusian systems, and perform security product-related checks...

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Jun 16, 2026

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

A stealth-focused malware loader delivered via ClickFix social engineering. It uses hidden PowerShell, in-memory shellcode, DLL side-loading, and external payload storage to retrieve and inject payloads into trusted Windows processes after profiling the host and checking for security products.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.