Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

    Friday, August 1, 2025 In: Threat Research Print

    Date: 08/01/2025

    Severity: Medium

    Summary

    An active malware campaign using ClickFix-themed lures is spreading the Epsilon Red ransomware. Unlike earlier versions, this variant redirects victims to a second page where malicious shell commands are silently executed via ActiveX, downloading a malicious .HTA file. Social engineering tactics like fake verification codes make the attack appear legitimate. The infrastructure mimics popular services such as Discord, Twitch, OnlyFans, and Kick, and also uses romance-themed traps. Epsilon Red, first observed in 2021, resembles REvil in ransom note design but differs in tactics and infrastructure.

    Indicators of Compromise (IOC) List

    URL/Domain

    capchabot.cc

    twtich.cc

    http://155.94.155.227:2269/

    http://213.209.150.188:8112/

    Hash

    155.94.155.227

    213.209.150.188

    Filename

    2db32339fa151276d5a40781bc8d5eaa

98107c01ecd8b7802582d404e007e493

9d0079fe0fa3480f3f36105ca8c3933ab1004c05

adf4fe80ccef030466c9d12b4340ea0a3fd02d9a

d735a8bd796d87e6db15cbe35223caf3e2cf8b7c0e11e58b1f6f5fdae20ce16c

e0a69439563c8534c2ef842d4ffcb16696f286d16585186de20351892f9917f1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "twtich.cc" or siteurl like "twtich.cc" or url like "twtich.cc" or domainname like "http://155.94.155.227:2269/" or siteurl like "http://155.94.155.227:2269/" or url like "http://155.94.155.227:2269/" or domainname like "http://213.209.150.188:8112/" or siteurl like "http://213.209.150.188:8112/" or url like "http://213.209.150.188:8112/" or domainname like "capchabot.cc" or siteurl like "capchabot.cc" or url like "capchabot.cc"

    Detection Query 2 : 

    dstipaddress IN ("155.94.155.227","213.209.150.188") or srcipaddress IN ("155.94.155.227","213.209.150.188")

    Detection Query 3 : 

    md5hash IN ("2db32339fa151276d5a40781bc8d5eaa","98107c01ecd8b7802582d404e007e493")

    Detection Query 4 :

    hash IN ("adf4fe80ccef030466c9d12b4340ea0a3fd02d9a","9d0079fe0fa3480f3f36105ca8c3933ab1004c05")

    Detection Query 5 :

    sha256hash IN ("e0a69439563c8534c2ef842d4ffcb16696f286d16585186de20351892f9917f1","d735a8bd796d87e6db15cbe35223caf3e2cf8b7c0e11e58b1f6f5fdae20ce16c")

    Reference:    

    https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware            


    Tags

    MalwareEpsilon RedRansomwareClickFixSocial Engineering

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.