'Lorem Ipsum' Malware Pivots to ClickFix Delivery

New analysis shows the campaign, which uses compromised WordPress sites, may be linked to the ransomware and data extortion group Vice Society.

June 16, 2026

Microsoft's disruption of malware-signing-as-a-service provider Fox Tempest last month has forced the operators of the Lorem Ipsum shellcode loader and backdoor to abandon their delivery method of Trojanized Microsoft Teams installers in favor of ClickFix lures.

Researchers at BlueVoyant, who have tracked the Lorem Ipsum campaign since February 2026, observed the shift in late May, just days after Microsoft dismantled the Fox Tempest (aka Forging Marauder) infrastructure and revoked more than 1,000 fraudulently obtained Microsoft Trusted Signing certificates. While the takedown may have temporarily disrupted the threat actors behind Lorem Ipsum, they quickly moved to a new and potentially more dangerous delivery model.

"The loss of certificate supply rendered the previous signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely," BlueVoyant said in its report on Tuesday.