Termite Ransomware Group Deploys ClickFix Social Engineering and CastleRAT Backdoor in Escalating Attack Campaign

What Happened

A ransomware threat group tracked as Velvet Tempest is deploying a sophisticated multi-stage attack campaign that combines the ClickFix social engineering technique with the CastleRAT backdoor and legitimate Windows utilities to deliver the DonutLoader malware, ultimately deploying Termite ransomware on compromised systems. The campaign represents a significant evolution in ransomware delivery tactics, blending social engineering, living-off-the-land techniques, and custom malware in a chain that is designed to evade traditional security controls at every stage.

The ClickFix technique, which has gained widespread adoption among threat actors in recent months, works by presenting victims with fake error messages or verification prompts that instruct them to execute commands on their own systems. Unlike traditional malware delivery that relies on exploiting software vulnerabilities or tricking users into opening malicious attachments, ClickFix weaponises user compliance—victims follow instructions that appear legitimate, unknowingly executing the initial compromise commands themselves.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

Once the ClickFix social engineering succeeds, the attack chain proceeds through several stages: the DonutLoader malware is deployed using legitimate Windows utilities to evade detection, establishing the CastleRAT backdoor that provides persistent access. The attackers then conduct reconnaissance, move laterally through the network, and ultimately deploy Termite ransomware to encrypt critical data and systems.

Background and Context

The ClickFix technique has emerged as one of the most effective social engineering methods in the current threat landscape. First observed in widespread use in late 2025, the technique exploits a fundamental human tendency to follow instructions from perceived authority figures or system prompts. By presenting fake error dialogues that instruct users to paste commands into a terminal or run PowerShell scripts, attackers bypass traditional security controls that focus on detecting malicious files or suspicious network connections.

The Termite ransomware group, operated by the threat actor cluster known as Velvet Tempest, has been active since mid-2025 and has targeted organisations across healthcare, manufacturing, and professional services sectors. The group follows the prevalent ransomware-as-a-service model, providing the ransomware payload while relying on affiliates for initial access and deployment.

The use of legitimate Windows utilities for malware deployment—a technique known as living off the land (LOTL)—has become standard practice among sophisticated threat actors. By using built-in tools like PowerShell, Windows Management Instrumentation (WMI), and the Microsoft HTML Application Host (mshta.exe), attackers can execute malicious actions using trusted system components that are present on every Windows installation and often whitelisted by security tools.

CastleRAT, the backdoor component, appears to be a custom remote access tool developed specifically for Velvet Tempest operations. Unlike commodity malware that is widely shared and quickly detected, custom tools give threat actors a detection advantage because security vendors have fewer samples to develop signatures and behavioural profiles.

Why This Matters

The combination of ClickFix social engineering, living-off-the-land execution, and custom malware represents the current state of the art in ransomware delivery—a chain designed to defeat each layer of traditional security controls. Endpoint protection tools that focus on detecting known malware signatures may miss the attack because it uses legitimate system utilities. Email security tools may fail to flag the initial contact because ClickFix prompts can be delivered through legitimate websites or compromised web applications rather than email attachments.

The ClickFix technique is particularly insidious because it turns the user into the attack vector. Traditional security awareness training teaches users to avoid clicking on suspicious links or opening unexpected attachments. ClickFix exploits a different cognitive pathway—the instinct to troubleshoot and fix apparent system problems—that most security training does not address. Organisations using a genuine Windows 11 key with properly configured security policies can mitigate some aspects of this attack chain, but user education remains the critical first line of defence.

The involvement of the DonutLoader malware adds another layer of concern. DonutLoader is a versatile in-memory payload delivery tool that can execute arbitrary shellcode without writing to disk, making it extremely difficult for traditional antivirus solutions to detect. This fileless execution approach compounds the evasion challenges created by the legitimate utility abuse.

Industry Impact

The cybersecurity industry is adapting its detection and prevention approaches in response to the ClickFix-enabled attack chain. Endpoint detection and response (EDR) vendors are developing behavioural analytics that can identify suspicious patterns of legitimate utility usage—such as PowerShell scripts executed immediately after web browser activity—that may indicate a ClickFix attack in progress.

Security awareness training providers are updating their programmes to address the specific social engineering patterns used in ClickFix attacks. Unlike traditional phishing simulations that test whether users click on suspicious links, effective ClickFix training must teach users to recognise fake error dialogues and resist the urge to follow troubleshooting instructions from untrusted sources.

The ransomware insurance market continues to tighten as attack techniques become more sophisticated. Insurers are increasingly requiring specific security controls—including application whitelisting, PowerShell logging, and credential hygiene—as conditions of coverage. The Termite campaign's use of legitimate utilities to deliver ransomware reinforces the importance of these controls.

Managed security service providers (MSSPs) and managed detection and response (MDR) vendors are seeing increased demand from organisations that lack the internal capability to detect and respond to multi-stage attacks like the Termite campaign. The complexity of modern attack chains has exceeded the capacity of many in-house security teams.

Expert Perspective

Incident responders note that the Termite campaign's multi-stage design creates multiple detection opportunities for well-prepared organisations but is highly effective against those with basic security controls. The key detection windows occur at the ClickFix social engineering stage (user education), the DonutLoader execution stage (behavioural monitoring), the CastleRAT communication stage (network monitoring), and the ransomware deployment stage (file integrity monitoring).

Threat intelligence analysts highlight that ClickFix adoption by ransomware groups confirms the technique's effectiveness and predicts further proliferation across the threat landscape. Techniques that work tend to spread rapidly among threat actors, and ClickFix is likely to become a standard element of social engineering campaigns.

Malware researchers caution that the custom CastleRAT backdoor indicates ongoing development investment by Velvet Tempest, suggesting the group has the resources and motivation for sustained operations and continued evolution of their attack tools.

What This Means for Businesses

Organisations must update their security strategies to address the specific techniques used in the Termite campaign. This includes implementing PowerShell logging and monitoring, restricting execution of script interpreters to authorised use cases, deploying behavioural EDR solutions, and updating security awareness training to cover ClickFix-style social engineering. Businesses running their operations on enterprise productivity software with an affordable Microsoft Office licence should ensure their Windows environments are configured with appropriate security policies.

Backup and recovery capabilities remain essential as the ultimate defence against ransomware. Organisations should maintain offline backups, test recovery procedures regularly, and develop incident response plans that account for the possibility of a successful ransomware deployment.

Key Takeaways

• Velvet Tempest deploys Termite ransomware using ClickFix social engineering, CastleRAT backdoor, and legitimate Windows utilities
• ClickFix tricks users into executing attack commands themselves by presenting fake error dialogues
• The attack chain uses living-off-the-land techniques and fileless malware to evade traditional security controls
• Security awareness training must be updated to address ClickFix-specific social engineering patterns
• Multi-layered detection strategies are needed to catch attacks at different stages of the kill chain
• Offline backups and tested recovery procedures remain the ultimate defence against ransomware

Looking Ahead

The ClickFix technique is likely to become a standard element of the social engineering toolkit, adopted by an increasingly wide range of threat actors. Organisations should prioritise updating their security awareness programmes and technical controls to address this technique before it becomes as ubiquitous as traditional phishing. The evolution of ransomware delivery tactics demands continuous adaptation from defenders.