THE campaign linked to the 'Lorem Ipsum' malware has shifted its delivery method from Trojanized Microsoft Teams installers to ClickFix lures hosted on compromised WordPress sites. This change was necessitated by Microsoft's disruption of a malware-signing service. Analysts from BlueVoyant observed that the latest method expands the potential victim pool, as it targets users browsing various compromised sites.
The malware operates through a sophisticated mechanism involving DLL sideloading and encrypted payloads, ultimately giving attackers a foothold on victim systems. The campaign is believed to be connected to the Rapid Brigantine cybercriminal group, which has ties to multiple ransomware families. This evolution highlights the resilience of threat actors against operational disruptions and emphasizes the need for enhanced detection strategies focusing on behavioral patterns rather than static indicators.