A threat actor tracked as Velvet Tempest was observed using ClickFix social engineering techniques alongside legitimate Windows tools to deploy DonutLoader and CastleRAT malware in a simulated environment. The group, active as a ransomware affiliate for at least five years, has previously been associated with major strains including Ryuk, REvil, Conti, BlackCat, LockBit, and RansomHub. MalBeacon researchers monitored the intrusion over twelve days in a replica U.S. non-profit organization network with thousands of endpoints.
Initial access was achieved through a malvertising campaign combining ClickFix and CAPTCHA lures that instructed victims to paste obfuscated commands into the Windows Run dialog. This triggered nested command chains utilizing finger.exe to retrieve payloads, including archive files disguised as PDFs. Subsequent stages employed PowerShell downloads, .NET compilation via csc.exe in temporary directories, and Python-based persistence mechanisms in ProgramData folders.
The operation ultimately staged DonutLoader and the CastleRAT backdoor, a remote access trojan previously associated with distributing LummaStealer and other information stealers. While Velvet Tempest is known for double-extortion ransomware attacks, the Termite ransomware was not deployed during this observed intrusion despite the group's tool staging being linked to Termite campaigns. The Termite ransomware brand has claimed recent high-profile victims including SaaS provider Blue Yonder and Australian IVF provider Genea.
Multiple ransomware operations have increasingly adopted ClickFix techniques, with the Interlock gang similarly using this social engineering method for corporate network breaches in April 2025. The observed intrusion demonstrated extensive hands-on activity including Active Directory reconnaissance, host discovery, and credential harvesting from Chrome browsers using PowerShell scripts.
Read more...