Termite ransomware breaches linked to ClickFix CastleRAT attacks

Velvet Tempest Unleashes Devastating ClickFix Attack: The Ransomware Threat That’s Evolving Faster Than Ever

In a chilling demonstration of how ransomware operations are becoming increasingly sophisticated, the notorious Velvet Tempest threat group—responsible for some of the most destructive ransomware campaigns in recent years—has deployed a cutting-edge ClickFix technique to infiltrate corporate networks and deploy the CastleRAT backdoor.

This isn’t just another ransomware story. This is a wake-up call for every organization that thinks they’re prepared for modern cyber threats.

The Anatomy of a Modern Ransomware Nightmare

Between February 3 and 16, 2025, cybersecurity researchers at MalBeacon watched in real-time as Velvet Tempest—also known by the ominous designation DEV-0504—orchestrated a 12-day assault on a meticulously crafted replica of a U.S. non-profit organization. The simulated environment contained over 3,000 endpoints and 2,500 users, providing the perfect laboratory to observe one of the most dangerous ransomware operations currently active.

What makes this attack particularly alarming is the group’s pedigree. Velvet Tempest has been linked to deploying ransomware strains that have caused billions in damages globally:

• Ryuk (2018-2020): The pioneer of targeted ransomware attacks
• REvil/Sodinokibi (2019-2022): Responsible for the Kaseya VSA attack affecting thousands of businesses
• Conti (2019-2022): The Russia-aligned group that caused widespread disruption
• BlackMatter (2021-2022): The successor to DarkSide that hit critical infrastructure
• BlackCat/ALPHV (2021-2024): The first major ransomware written in Rust
• LockBit (ongoing): Currently the most active ransomware family
• RansomHub (2024-present): The new kid on the block causing fresh havoc

The ClickFix Deception: Social Engineering at Its Finest

The attack began with what appears to be a malvertising campaign—malicious online advertisements designed to trick users into clicking. But this wasn’t your typical phishing attempt. Velvet Tempest employed a sophisticated ClickFix technique combined with CAPTCHA challenges that would fool even security-conscious users.

The malicious webpage presented users with what appeared to be a legitimate security check, complete with a CAPTCHA verification. However, the real trap was hidden in plain sight: victims were instructed to copy and paste an obfuscated command into the Windows Run dialog box—a legitimate Windows feature that most users trust.

This is where the brilliance (and danger) of the attack becomes apparent. By leveraging a legitimate Windows function, the attackers bypassed many traditional security measures. The pasted command triggered nested cmd.exe chains—essentially a series of hidden commands that executed automatically without the user’s knowledge.

The Payload Delivery System: A Masterclass in Stealth

Once the initial ClickFix payload was executed, the attack chain kicked into high gear. The command used finger.exe—a legitimate Windows utility typically used for network diagnostics—to fetch the first malware loaders. One of these payloads was particularly deceptive: an archive file disguised as a PDF document.

This level of obfuscation demonstrates how threat actors are constantly evolving their techniques to evade detection. By masquerading malicious files as legitimate documents, they increase the likelihood that unsuspecting users or even security systems will allow them through.

PowerShell: The Attacker’s Best Friend

The attack’s sophistication truly shines in the PowerShell execution phase. Velvet Tempest used PowerShell scripts to download and execute additional commands, compiling .NET components using csc.exe (the Visual C# compiler) in temporary directories. This technique of using legitimate development tools for malicious purposes is becoming increasingly common among advanced threat actors.

The PowerShell scripts also deployed Python-based components for persistence in the C:\ProgramData directory—a location that Windows considers safe and typically allows applications to write to without restriction. This persistence mechanism ensures that even if some components are detected and removed, the attackers maintain a foothold in the compromised network.

DonutLoader and CastleRAT: The Deadly Duo

The ultimate payload of this attack chain was the deployment of DonutLoader—a sophisticated malware loader known for its ability to execute .NET assemblies directly from memory, making it extremely difficult to detect using traditional antivirus solutions.

Alongside DonutLoader, Velvet Tempest retrieved CastleRAT, a remote access trojan associated with the CastleLoader malware loader family. CastleRAT is particularly concerning because it’s part of an ecosystem that distributes multiple families of remote access trojans and information stealers, including the notorious LummaStealer.

LummaStealer has been responsible for numerous high-profile breaches, capable of stealing credentials, cryptocurrency wallets, and other sensitive information. The fact that Velvet Tempest is using infrastructure and techniques associated with this malware ecosystem suggests a level of sophistication and resourcefulness that should concern every security professional.

The Termite Connection: A Ransomware Family on the Rise

What makes this attack chain particularly noteworthy is its connection to Termite ransomware. The PowerShell script used to harvest Chrome credentials was hosted on an IP address linked to tool staging for Termite ransomware intrusions. Termite has already claimed high-profile victims, including:

• Blue Yonder: A major SaaS provider serving Fortune 500 companies
• Genea: An Australian IVF giant handling extremely sensitive medical data

While Velvet Tempest is typically associated with double-extortion attacks—where victim systems are encrypted after stealing company data—MalBeacon’s report notes that the threat actor did not deploy the Termite ransomware in this observed intrusion. This suggests that Velvet Tempest may be testing new techniques or reserving Termite for specific high-value targets.

The Broader Threat Landscape: ClickFix Goes Mainstream

The use of ClickFix techniques by Velvet Tempest isn’t an isolated incident. In April 2025, Sekoia reported that the Interlock ransomware gang used similar social engineering methods to breach corporate networks. This indicates a troubling trend: sophisticated social engineering techniques are becoming mainstream among ransomware groups.

The effectiveness of ClickFix lies in its exploitation of human trust. By instructing users to perform what appears to be a legitimate security action (copying and pasting commands), attackers bypass many technical security controls. This human-centric attack vector is particularly dangerous because it exploits the fundamental weakness in any security system: the human element.

What This Means for Your Organization

The Velvet Tempest attack demonstrates several critical lessons for cybersecurity professionals:

Traditional defenses are insufficient: Signature-based antivirus and basic network monitoring likely wouldn’t detect this attack chain, given its use of legitimate Windows utilities and file types.

User education is more critical than ever: Even technically savvy users can fall victim to sophisticated social engineering that leverages legitimate system functions.

Defense in depth is essential: This attack bypassed many single-layer defenses, highlighting the need for multiple, overlapping security controls.

Threat intelligence matters: Understanding the tactics, techniques, and procedures (TTPs) of groups like Velvet Tempest is crucial for developing effective defenses.

Incident response planning is non-negotiable: The 12-day timeline of this attack shows that once threat actors gain access, they take time to establish persistence and move laterally—providing a window for detection and response.

The Road Ahead: An Escalating Threat Landscape

As ransomware groups continue to evolve their techniques, organizations must adapt their defenses accordingly. The Velvet Tempest attack represents a new level of sophistication in ransomware operations, combining social engineering, legitimate tool abuse, and advanced malware delivery systems.

The question isn’t whether your organization will face a sophisticated ransomware attack—it’s when. And attacks like this one from Velvet Tempest show that the threat actors are constantly raising the bar, developing new techniques faster than many organizations can adapt their defenses.

In the cat-and-mouse game of cybersecurity, Velvet Tempest has just shown us a new trick. The only question is: are you prepared for what comes next?

Tags: Velvet Tempest, ClickFix, ransomware, CastleRAT, DonutLoader, cyber attack, malware, security breach, threat intelligence, DEV-0504, Termite ransomware, social engineering, PowerShell attack, Windows security, cybersecurity threat

Viral Sentences:

• “The ransomware threat that’s evolving faster than ever”
• “A wake-up call for every organization that thinks they’re prepared”
• “Social engineering at its finest”
• “The deadly duo: DonutLoader and CastleRAT”
• “A masterclass in stealth”
• “The attacker’s best friend: PowerShell”
• “The broader threat landscape: ClickFix goes mainstream”
• “What this means for your organization: traditional defenses are insufficient”
• “The road ahead: an escalating threat landscape”
• “Are you prepared for what comes next?”

,