Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware
ID: 6227ac7a-628a-578d-8267-50a0daaf689d
STIX ID: report--6227ac7a-628a-578d-8267-50a0daaf689d
Feed Name: CloudSEK Blog
Threat Score
During routine infrastructure hunting, CloudSEK TRIAD discovered Clickfix-themed pages delivering Epsilon Red ransomware via ActiveX (WScript.Shell) that silently downloads and executes payloads (example: curl from 155.94.155.227:2269), using social-engineering lures and impersonation of services (Discord captcha bot, Kick, Twitch, OnlyFans); the report includes IOCs, MITRE technique mappings, attribution context, and mitigation guidance.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.