Loader | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader , Lorem Ipsum Loader , and Potemkin , per independent reports from Morphisec , BlueVoyant , and Huntress , respectively. Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations. "Earlier BabaDeda activity was known for concealing malicious payloads inside legitimate looking installer packages," Morphisec researcher Shmuel Uzan said. "This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility." The starting point of the attacks is a ClickFix social engineering attack that deceives users into running attacker-supplied PowerShell commands to deliver the loader, which is then used to drop information stealers and remote access trojans (RATs) by combining well-known techniques like hidden PowerShell, i...

The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. "GootLoader is back and now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames," security researcher Anna Pham said , adding the malware "exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file." GootLoader, affiliated with a threat actor tracked as Hive0127 (aka UNC2565), is a JavaScript-based malware loader that's often distributed via search engine optimization (SEO) poisoning tactics to deliver additional payloads, including ransomware. In a report published last September, Microsoft revealed the th...