Cyber: Termite Ransomware Breaches Linked To Clickfix Castlerat Attacks

Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. Researchers at cyber-deception threat intelligence firm MalBeacon observed the hackers' actions in an emulated organization environment over a period of 12 days. Velvet Tempest, also tracked as DEV-0504, is a threat group that has been involved in ransomware attacks as an affiliate for at least five years. The actor has been associated with deploying some of the most devastating ransomware strains: Ryuk (2018 - 2020), REvil (2019-2022), Conti (2019-2022), BlackMatter, BlackCat/ALPHV (2021-2024), LockBit, and RansomHub. The attack was observed by MalBeacon between February 3 and 16 in a replica environment for a non-profit organization in the U.S. with more than 3,000 endpoints and over 2,500 users. After obtaining access, Velvet Tempest operators performed hands-on keyboard activities, including Active Directory reconnaissance, host discovery, and environment profiling, as well as using a PowerShell script to harvest credentials stored in Chrome. The script was hosted on an IP address that researchers linked to tool staging for Termite ransomware intrusions. According to the researchers, Velvet Tempest gained initial access through a malvertising campaign that led to a ClickFix and CAPTCHA mix that instructed victims to paste an obfuscated command into the Windows Run dialog. The pasted command triggered nested cmd.exe chains and used finger.exe to fetch the first malware loaders. One of the payloads was an archive file disguised as a PDF file. In subsequent stages, Velvet Tempest used PowerShell to download and execute commands that fetched additional payloads, compile .NET components via csc.exe in temporary directories, and deploy Python-based components for persistence in C:\ProgramData.