ClickFix the file-free intrusion of Velvet Temper reveals the use of legitimate tools and memory loaders

In a recent operation documented by the MalBeacon cyberintelligence firm, the Ransomware group known as Velvet Temper (also traced as DEV-0504) used a mix of social deception and legitimate Windows tools to introduce and execute malicious loads on a target network. The intrusion combined a maldumping campaign with a social engineering technique known as "ClickFix," the abuse of system native utilities and memory loaders, which allowed the attackers to reach an advanced backdoor without the need for a traditional executable disk file.

The ClickFix technique is based on deceiving the user to stick in the Run of Windows (Win + R) a clear command that seems harmless but triggers a chain of processes. In MalBeacon's observation, the barley started from malicious ads and a CAPTCHA-type screen that persuaded the victim to perform the action. This simple gesture activated nested chains of cmd.exe, which in turn invoked profits as finger.exe to recover the first "stagers." It is a clear example of how attackers avoid direct malicious attachments and instead exploit human interaction and legitimate programs of the system. More details of the analysis can be found in MalBeacon's note: MalBeacon.

Once inside, the operators carried out manual activity (hands-on-keyboard): recognition of Active Directory, discovery of hosts and mapping of the environment. They used PowerShell to download additional commands and ran a script to extract credentials stored by the Chrome browser, a behavior that fits well-known credentials theft techniques from browsers ( MITRE ATT & CK T1555.002). Part of the initial malware was distributed in a compressed file disguised as PDF, and in later stages the group compiled .NET components in temporary folders with csc.exe and deployed modules in Python to establish persistence in C:\ ProgramData.

In the development phase, the attackers used DonutLoader to run code in memory and finally downloaded CastleRAT, a remote-access Trojan that is often associated with an ecosystem of loaders such as CastleLoader and families of info-stealers. The use of memory loaders such as Donut allows you to run .NET binaries without creating obvious audio executables, making traditional detection difficult; the Donut project, which implements this technique, is publicly documented in GitHub: Donut (GitHub).

MalBeacon recorded this campaign in a simulated environment that replicated the infrastructure of a non-profit American organization with more than 3,000 endpoints and about 2,500 users, over a 12-day period between 3 and 16 February. Although Velvet Temper has a long history as a member of double extortion campaigns and has been linked to deployments of well-known Ransomware families in recent years, in this specific exercise the operators did not detonate the Ransomware Termite that is sometimes associated with them. This absence emphasizes that the intrusion phase can be used both for information theft and for preparation of a subsequent execution: attackers can modulate their objective according to the opportunity and response of the defender.

The observed behaviour exemplifies two trends that we often see in recent attacks: on the one hand, the abuse of native system utilities and local compilers (what the community calls "living-off-the-land"), and on the other, the use of social deceits that ask the victim to perform simple but dangerous manual actions. MITRE brings together many of these techniques under categories such as the use of command interpreters and the abuse of legitimate binaries: T1059 - Command and Writing Interpreter and T1218 - System Binary Proxy Execution.

In addition, the practice of embedding .NET components temporarily compiled and running loads in memory complicates the detection by signatures and forces security teams to rely more on behavior telemetry and anomaly signals (e.g., csc.exe that creates unusual assemblies in temporary directories, repeated executions of PowerShell with ossification or processes that download payloads from unreputable PIs). Public security authorities and agencies recommend strengthening the defence with measures such as network segmentation, strict implementation policies, monitoring critical processes and awareness-raising programs to avoid actions such as hitting commands in the Run Table; CISA's Ransomware and defensive guidelines provide practical guidance: CISA - Ransomware Guidance.

Finally, it is not an isolated case that groups of ransomware and affiliates adopt the ClickFix trick: industry reports have documented other bands that use variants of this social engineering to get into corporate networks. A recent example that linked a campaign similar to the Interlock band was reported by Sekoia, which highlights how apparently simple techniques can avoid controls if the human factor is not prepared: Sekoia - Blog.

If there is a clear lesson is that security no longer depends only on blocking malicious files: the combination of human signals, valid system tools and memory loaders requires an in-depth defence strategy covering technology, processes and training. Organizations should prioritize behavior-based detection, protect and audit privileged access, and educate users not to execute commands received from unverified channels. For professionals who want to tune detections, pay attention to downloads from suspicious staging directions, the emergence of unexpected .NET compilations and to persistencies created in unusual locations such as C:\ ProgramData is usually a good starting point.