Five-Year Ransomware Affiliate Uses Malvertising and Legitimate Windows Tools in Sophisticated Intrusion
Security researchers at MalBeacon have exposed a 12-day intrusion campaign by Velvet Tempest (also tracked as DEV-0504), a prolific ransomware affiliate group now deploying the CastleRAT backdoor through ClickFix social engineering attacks.
The campaign demonstrates the continued evolution of ransomware operators toward sophisticated initial access techniques that leverage legitimate Windows utilities and social engineering to evade detection.
Threat Actor Profile: Velvet Tempest
Velvet Tempest has been active for at least five years as a ransomware affiliate, deploying some of the most devastating strains in recent history:
- Ryuk (2018-2020)
- REvil (2019-2022)
- Conti (2019-2022)
- BlackMatter (2021)
- BlackCat/ALPHV (2021-2024)
- LockBit (2022-present)
- RansomHub (2024-present)
- Termite (current)
The group is now linked to Termite ransomware, which has claimed high-profile victims including SaaS provider Blue Yonder and Australian IVF giant Genea.
Attack Chain: ClickFix to CastleRAT
MalBeacon observed the intrusion between February 3-16, 2026, in an emulated non-profit organization environment with over 3,000 endpoints.
Initial Access: Velvet Tempest used malvertising to deliver a ClickFix and CAPTCHA combination. Victims were tricked into pasting an obfuscated command into the Windows Run dialog—a technique that bypasses browser-based protections.
Execution: The pasted command triggered nested cmd.exe chains and leveraged finger.exe—a legitimate Windows utility—to fetch malware loaders. One payload was an archive disguised as a PDF file.
Staging: Subsequent PowerShell commands downloaded additional payloads, compiled .NET components via csc.exe in temporary directories, and deployed Python-based persistence mechanisms in C:\ProgramData.
Backdoor Deployment: The attack ultimately delivered DonutLoader and CastleRAT—a remote access trojan associated with CastleLoader, known for distributing RATs and infostealers like LummaStealer.
Post-Exploitation Activity
After gaining access, operators performed hands-on-keyboard activities including:
- Active Directory reconnaissance
- Host discovery and environment profiling
- Chrome credential harvesting via PowerShell script
Notably, the PowerShell script was hosted on an IP address researchers linked to tool staging for previous Termite ransomware intrusions—establishing the connection between CastleRAT deployment and the Termite operation.
Detection Indicators
Security teams should monitor for:
- ClickFix-style CAPTCHA pages prompting users to paste commands into Run dialog
- finger.exe network connections to external hosts
- Nested cmd.exe execution chains
- csc.exe compilation in temp directories
- Python components persisting in C:\ProgramData
- DonutLoader or CastleRAT indicators of compromise
Why This Matters
Velvet Tempest’s adoption of ClickFix represents a broader trend among ransomware affiliates toward social engineering-based initial access. By convincing users to execute commands themselves, attackers bypass email security, browser protections, and endpoint detection tools that monitor for automated exploitation.
The group’s five-year track record with multiple ransomware strains also highlights the reality of the ransomware ecosystem: sophisticated affiliates move between ransomware-as-a-service operations, bringing their TTPs and infrastructure with them.
