SURIQ
Three unrelated crews started delivering malware the same way in a single quarter, and that is the part worth your attention, not any one of the loaders they shipped. A ransomware affiliate, a commodity loader operator, and a fresh malware-as-a-service kit all converged on the same opening move: a fake verification screen that walks the user into opening the Windows Run box with Win+R, dropping in a line of supplied text, and confirming it. The lure is disposable. The paste is the product. ClickFix has stopped being a clever trick and become a shared delivery layer that anyone can rent into, and the way most teams are watching for it points at exactly the wrong artifact.
What actually changed this quarter
The week's reporting bundled three loaders under the ClickFix banner, each surfaced by a different vendor. Morphisec documented BabaDeda, seen since April 2026 against education and finance targets, using PowerShell handed over through a ClickFix prompt and DLL side-loading to stage information stealers and remote-access trojans. BlueVoyant tracked Lorem Ipsum, active since February, which moved off trojanized Teams installers and onto compromised WordPress sites pushing fake Edge update prompts. Huntress detailed Potemkin, caught last month, delivered as an MSI through an HTA payload, with a domain generation algorithm for command-and-control and payloads that strip Chromium's App-Bound Encryption to lift saved browser secrets.
The Lorem Ipsum thread is the one that should make you sit up. BlueVoyant links it to Vanilla Tempest, the crew Microsoft tracks as the rebrand of Vice Society, a group with a long history of deploying Rhysida and other ransomware against schools and hospitals. A ransomware operator and a run-of-the-mill loader-for-hire are now using identical first-stage tradecraft. That is not coincidence. It is a technique that has matured into infrastructure, and the people who used to write their own droppers are skipping that step.
The lure rotates. The execution chain does not.
Most ClickFix coverage fixates on the bait: the fake CAPTCHA, the counterfeit Edge update, the bogus "verify you are human" box. That is a moving target by design. Across these three campaigns alone the front end changed from a Teams installer to a WordPress-hosted browser-update prompt to an MSI dropper, and it will change again next month. If your detection logic keys on the delivery domain or the specific lure text, you are committing to a chase you cannot win. We have watched the same dynamic play out with compromised WordPress sites being used to push malware, where blocking one staging host just moved the payload to the next.
The far end of the attack is stable, because it has to be. ClickFix only works one way: a human, sitting at the keyboard, executes the payload by hand. That leaves a consistent fingerprint on the host. A user-interactive process, almost always explorer.exe, spawns an interpreter (powershell.exe, cmd.exe, or mshta.exe) carrying an encoded or remote argument, within seconds of a clipboard write and a Run-dialog entry. The lure changes weekly; that parent-child relationship and its timing do not. This is the same lesson as detection that hinges on a single host artifact: pick the part of the attack the operator cannot reshape, and build there so it survives the next rebrand of the front end for free.
Where to put the detection tonight
The single highest-value signal is the Run dialog itself. Every command typed or pasted into Win+R is written to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. On a normal endpoint that key holds cmd, mstsc, maybe notepad. A base64 blob, a powershell -enc string, or an mshta call to a remote URL in RunMRU is not a maybe. It is a near-certain ClickFix hit, and it is one of the few telemetry sources the attacker cannot reshape from the server side.
Stack three more behind it. Alert on any scripting interpreter whose parent is explorer.exe rather than a logon script, scheduled task, or management agent, since legitimate automation almost never launches PowerShell that way. Flag mshta.exe reaching out to a URL, which has almost no honest use on a managed desktop. And watch for an interpreter launching within a few seconds of a browser process writing to the clipboard, the timing tell that separates a paste-and-run from a normal admin session. None of these depend on knowing the lure or the loader, which is the whole point, and they are the kind of host-resident rules behind why we built our detection on Wazuh.
Why "train the users" is the wrong takeaway
The reflex after a social-engineering story is to schedule more awareness training. ClickFix is built to defeat exactly that. As Huntress noted, it works because people follow clear, authoritative-looking instructions, and the victims here are not careless. They are doing what a confident-looking prompt told them to do, the same instinct that makes a good employee responsive. You cannot train that away without training away the behavior you want. It is closer to developer tooling weaponized as a delivery channel, where the abuse rides on a trust the user is supposed to have.
The durable fix is to remove the capability, not to coach the human. Most users have no business pasting anything into a terminal, so constrain it: PowerShell ConstrainedLanguage mode through WDAC or AppLocker, blocking or heavily restricting mshta.exe as a living-off-the-land binary, and policy that stops non-admin accounts from reaching an unrestricted Run dialog at all. Apple shipped its own version of this logic in macOS Tahoe 26.4, which now warns before a user pastes a command into Terminal. That is a tacit admission from a platform vendor that the network and browser layers cannot stop this, so the control has to live at the moment of paste. Defenders on Windows should reach the same conclusion and instrument that moment, instead of waiting for the loader to phone home.
Treat the convergence as the forecast. When a ransomware affiliate and a commodity loader independently adopt the same entry technique inside one quarter, the next quarter brings more tenants on the same platform, not fewer. The teams that detect on the execution chain now will catch the loaders that have not been named yet. The teams still blocklisting fake-CAPTCHA domains will be writing the same rule again in July.