Twelve days. That’s how long researchers watched Velvet Tempest move through a replica network before the group fully revealed its toolkit.
The emulated environment, built by cyber-deception intelligence firm MalBeacon, modeled a U.S. non-profit with more than 3,000 endpoints and over 2,500 users. Between February 3 and 16, researchers observed the threat actor — also tracked as DEV-0504 — conducting hands-on operations that connected Termite ransomware infrastructure to a fresh delivery chain built around ClickFix social engineering and the CastleRAT backdoor.
The entry point was a malvertising campaign. Victims encountered a ClickFix and CAPTCHA combination that instructed them to paste an obfuscated command into the Windows Run dialog. That single action triggered nested cmd.exe chains, with the built-in Windows utility finger.exe used to fetch the first-stage malware loaders — a technique that abuses a legitimate system tool to avoid raising immediate flags.
From Chrome credentials to CastleRAT
One payload arrived as an archive file disguised as a PDF. From there, the operation escalated through PowerShell commands that fetched additional payloads, compiled .NET components using csc.exe in temporary directories, and dropped Python-based components for persistence inside C:\ProgramData. The group also ran a PowerShell script to harvest credentials stored in Chrome — a script hosted on an IP address that MalBeacon linked directly to tool staging for Termite ransomware intrusions.
The operation’s final payload combination was DonutLoader and CastleRAT, a remote access trojan connected to the CastleLoader malware loader. According to the report, CastleLoader has previously been used to distribute multiple RAT families and information stealers, including LummaStealer. Active Directory reconnaissance and host discovery preceded all of this — the group profiled the environment before deploying anything.
Notably, Velvet Tempest did not deploy Termite ransomware during the observed intrusion, even though the infrastructure ties were present. The group is typically associated with double-extortion operations, where data is stolen before systems are encrypted.
More Read
Five years across six ransomware families
The actor’s history stretches back at least five years. Velvet Tempest has operated as an affiliate across some of the most active ransomware programs of the past decade: Ryuk (2018–2020), REvil (2019–2022), Conti (2019–2022), BlackMatter, BlackCat/ALPHV (2021–2024), LockBit, and RansomHub. Termite ransomware itself has previously claimed Blue Yonder, a SaaS provider, and Genea, an Australian IVF company, among its victims.
Velvet Tempest is not alone in adopting ClickFix as an intrusion method. The Interlock ransomware gang used the same social engineering technique to breach corporate networks, according to a report from Sekoia published in April 2025.
Photo by Sora Shimazaki on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
