A recent deception operation shows Velvet Tempest leaning on a “ClickFix”-style lure to move fast from initial access into hands-on-keyboard activity consistent with Termite ransomware operations. In this post, we break down the timeline, highlight the most actionable indicators of compromise, and translate the tradecraft into practical defender takeaways—including where deception can turn attacker momentum into instant signal.

Proofpoint observed a hands-on-keyboard intrusion where an operator abused multiple RMM platforms—including Bluetrait, Fleetdeck, Level, and MSP360—after initial access via a malicious PDF “missing Adobe plugin” lure. The activity underscores a growing reality: attackers are increasingly using legitimate IT tooling as a resilient intrusion framework.

The January 2026 Deception.Pro update introduces industry based replica browsing for Premium users, expanded and more reliable malware auto detonation across common delivery formats, improved artifact handling with VirusTotal linking, and broad stability enhancements, while laying the groundwork for dedicated KVM infrastructure, TLS inspection, and memory dump support.

This Deception.Pro operation captured a multi-stage malware intrusion culminating in hands-on-keyboard (HoK) activity focused exclusively on account takeover (ATO): not ransomware staging or enterprise lateral movement.

A recent Deception.Pro operation involving a replica victim in the travel and tourism sector revealed a multi-stage infection beginning with an Oyster malware dropper masquerading as a Microsoft Teams installer.

A list of recent updates and features.