cR0w :cascadia:<p>.hta files are still going strong. In 2025.</p><p><a href="https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cloudsek.com/blog/threat-actor</span><span class="invisible">s-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware</span></a></p><blockquote><p>During routine infrastructure hunting, CloudSEK’s TRIAD uncovered a Clickfix-themed malware delivery site in active development, associated with the Epsilon Red ransomware. Unlike previous campaigns that copy commands to clipboards, this variant urges victims to visit a secondary page, where malicious shell commands are silently executed via ActiveX to download and run payloads from an attacker-controlled IP. Social engineering tactics, such as fake verification codes, are used to appear benign. Pivoting into related infrastructure revealed impersonation of services like Discord Captcha Bot, Kick, Twitch, and OnlyFans, as well as romance-themed lures. Epsilon Red was first observed in 2021 and is loosely inspired by REvil ransomware in ransom note styling, but otherwise appears distinct in its tactics and infrastructure.</p></blockquote><p><a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatIntel</span></a> <a href="https://infosec.exchange/tags/clickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>clickFix</span></a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ransomware</span></a></p>