Ransomware threat group Velvet Tempest (DEV-0504) has been observed utilizing the "ClickFix" social engineering technique and legitimate Windows utilities to deploy DonutLoader and the CastleRAT backdoor. The group, a well-known affiliate associated with major ransomware operations such as REvil, Conti, and LockBit, was recently tracked by MalBeacon performing hands-on keyboard activities, including Active Directory reconnaissance and credential harvesting via PowerShell.
The infection chain begins with malvertising that lures victims into pasting obfuscated commands into the Windows Run dialog, which subsequently uses native tools like finger.exe and csc.exe to fetch and compile malicious payloads. While Velvet Tempest is linked to the deployment of Termite ransomware in high-profile breaches, the researchers noted that encryption was not initiated during this specific observation, highlighting a focus on persistence and remote access through the CastleRAT trojan.