Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

SUMMARY :

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files via ActiveX. This method leads to silent payload downloads and ransomware deployment. The campaign uses a Clickfix-themed malware delivery site, urging victims to visit a secondary page where malicious shell commands are executed. The attackers also impersonate various streaming services and use romance-themed lures. Epsilon Red, first observed in 2021, shows some similarities to REvil ransomware in its ransom note styling but appears distinct in its tactics and infrastructure.

OPENCTI LABELS :

phishing,social engineering,ransomware,impersonation,drive-by download,quasar rat,clickfix,activex,hta files,epsilon red


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware