Termite Ransomware Breaches Linked to ClickFix CastleRAT Attacks

The resurgence of ClickFix—a hybrid malvertising and CAPTCHA bypass—signals a shift in ransomware actors’ entry vectors. By prompting victims to paste an obfuscated command into the Windows Run dialog, threat groups like Velvet Tempest can trigger chained cmd.exe executions that fetch initial loaders. This method sidesteps traditional phishing emails, exploiting user curiosity and the trust placed in native Windows utilities, making it harder for conventional email filters to block.

In the observed campaign, Velvet Tempest combined the ClickFix lure with a suite of native tools—PowerShell, csc.exe, and finger.exe—to download and compile .NET components, then deployed the DonutLoader and CastleRAT backdoor. The actors performed meticulous Active Directory mapping and harvested Chrome‑stored credentials, establishing persistence in C:\ProgramData. Although the Termite ransomware payload was never released, the infrastructure prepared for rapid encryption, illustrating a “wait‑and‑watch” approach that maximizes extortion leverage while minimizing immediate detection.

For defenders, the key takeaway is the need to monitor anomalous command‑line activity and unexpected use of legitimate binaries for network calls. Threat intelligence indicates that ClickFix is spreading beyond Velvet Tempest, with groups like Interlock adopting the technique. Organizations should enforce strict application control, deploy behavior‑based endpoint detection, and educate users about unsolicited Run‑dialog commands. Proactive hunting for DonutLoader signatures and CastleRAT traffic can disrupt the attack chain before ransomware encryption becomes inevitable.