Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Velvet Tempest ClickFix malvertising campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

Velvet Tempest ran a malvertising-driven ClickFix operation that used obfuscated Windows commands to gain access and stage payloads, making the intrusion chain more effective and more visible as an active adversary campaign. The activity was observed over February 3-16 and showed hands-on operator tradecraft against a U.S. nonprofit-like environment with more than 3,000 endpoints and 2,500 users.

Related Happenings

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Open Happening

Storm-1175 high-velocity zero-day and N-day intrusion campaign

Campaign
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...

Open Happening

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

Open Happening

Hive0163 extortion and ransomware campaign using ClickFix and malvertising

Campaign
First: 12.03.2026 19:02 Last: 12.03.2026 19:02 Sources 1

About this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...

Open Happening

Transparent Tribe AI-assisted implant campaign targeting India

Campaign
First: 06.03.2026 17:11 Last: 06.03.2026 17:11 Sources 1

About this happening: **Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...

Open Happening

Timeline

  1. 07.03.2026 18:14 2 articles · 2mo ago

    Velvet Tempest ClickFix malvertising campaign disclosed

    Initial Disclosure

    MalBeacon disclosed that Velvet Tempest, also tracked as DEV-0504, used a malvertising-driven ClickFix chain with obfuscated Windows Run dialog commands, nested cmd.exe activity, finger.exe retrieval, PowerShell downloads, csc.exe compilation, and Python-based persistence to stage DonutLoader and CastleRAT against a U.S. nonprofit-like environment with more than 3,000 endpoints and over 2,500 users. The observed activity covered February 3-16 and included hands-on keyboard reconnaissance, host discovery, environment profiling, and Chrome credential harvesting, while Termite ransomware was not deployed in the intrusion.

    Show sources
    Open in new tab