Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor.

Researchers at cyber-deception threat intelligence firm MalBeacon observed the hackers' actions in an emulated organization environment over a period of 12 days.

Velvet Tempest, also tracked as DEV-0504, is a threat group that has been involved in ransomware attacks as an affiliate for at least five years.

The actor has been associated with deploying some of the most devastating ransomware strains: Ryuk (2018 - 2020), REvil (2019-2022), Conti (2019-2022), BlackMatter, BlackCat/ALPHV (2021-2024), LockBit, and RansomHub.

The attack was observed by MalBeacon between February 3 and 16 in a replica environment for a non-profit organization in the U.S. with more than 3,000 endpoints and over 2,500 users.

After obtaining access, Velvet Tempest operators performed hands-on keyboard activities, including Active Directory reconnaissance, host discovery, and environment profiling, as well as using a PowerShell script to harvest credentials stored in Chrome.

The script was hosted on an IP address that researchers linked to tool staging for Termite ransomware intrusions.

According to the researchers, Velvet Tempest gained initial access through a malvertising campaign that led to a ClickFix and CAPTCHA mix that instructed victims to paste an obfuscated command into the Windows Run dialog.

The pasted command triggered nested cmd.exe chains and used finger.exe to fetch the first malware loaders. One of the payloads was an archive file disguised as a PDF file.

In subsequent stages, Velvet Tempest used PowerShell to download and execute commands that fetched additional payloads, compile .NET components via csc.exe in temporary directories, and deploy Python-based components for persistence in C:\ProgramData.

The operation ultimately staged DonutLoader and retrieved CastleRAT backdoor, a remote access trojan associated with the CastleLoader malware loader known for distributing multiple families of RATs and information stealers, like LummaStealer.

Termite ransomware has previously claimed high-profile victims such as SaaS provider Blue Yonder and Australian IVF giant Genea.

While Velvet Tempest is typically associated with double-extortion attacks, where victim systems are encrypted after stealing company data, MalBeacon's report notes that the threat actor did not deploy the Termite ransomware in the observed intrusion.

Multiple ransomware actors have adopted the CkickFix technique in attacks. Sekoia reported in April 2025 that the Interlock ransomware gang used the social engineering method to breach corporate networks.