The threat involves a newly observed campaign by the Epsilon Red ransomware group, active since July 2025, leveraging social engineering and drive-by download techniques to infect victims globally. Attackers create fake ClickFix verification web pages that impersonate popular platforms such as Discord, Twitch, and OnlyFans, as well as various streaming services, to lure users into downloading malicious .HTA (HTML Application) files. These .HTA files exploit ActiveX controls to silently execute shell commands and download ransomware payloads without user awareness. The campaign also uses romance-themed lures to increase victim engagement. Epsilon Red ransomware, first seen in 2021, shares ransom note stylistic similarities with REvil ransomware but operates with distinct tactics and infrastructure. The infection chain starts with phishing or social engineering to convince users to run the .HTA files, which then execute commands to deploy the ransomware. Indicators of compromise include specific file hashes, malicious domains (e.g., capchabot.cc, twtich.cc), and IP addresses. The attack leverages techniques such as T1053.005 (Scheduled Task/Job), T1036 (Masquerading), T1027 (Obfuscated Files or Information), T1486 (Data Encrypted for Impact), T1059.003 (Windows Command Shell), T1189 (Drive-by Compromise), T1071.001 (Web Protocols), T1059.005 (Visual Basic), and T1204.001 (User Execution). No known exploits in the wild are reported, but the campaign relies heavily on user interaction and social engineering to succeed.

For European organizations, this ransomware campaign poses significant risks including data encryption leading to operational disruption, potential data loss, and financial impact due to ransom payments or recovery costs. The use of social engineering targeting popular platforms increases the likelihood of successful infection among employees and users who interact with these services. The silent execution of payloads via ActiveX and .HTA files can bypass some traditional detection mechanisms, leading to delayed incident response. Critical sectors such as finance, healthcare, and media streaming services in Europe could face severe availability and confidentiality impacts. Additionally, the impersonation of well-known platforms may erode user trust and complicate phishing awareness efforts. Given the ransomware's destructive nature, organizations may suffer reputational damage and regulatory penalties, especially under GDPR if personal data is compromised or unavailable.

1. Implement strict email and web filtering to block access to known malicious domains and URLs such as capchabot.cc and twtich.cc. 2. Disable or restrict execution of .HTA files and ActiveX controls via group policies or endpoint protection solutions to prevent drive-by downloads and silent execution. 3. Conduct targeted user awareness training focusing on recognizing phishing attempts that impersonate popular platforms and romance-themed lures. 4. Employ application whitelisting to prevent unauthorized execution of scripts and executables, including .HTA files. 5. Monitor for indicators of compromise such as the provided file hashes and IP addresses within network and endpoint detection systems. 6. Regularly back up critical data with offline or immutable backups to ensure recovery without paying ransom. 7. Use endpoint detection and response (EDR) tools to detect suspicious shell command executions and lateral movement attempts. 8. Keep all systems and security solutions updated to reduce attack surface and improve detection capabilities. 9. Limit user privileges to reduce the impact of successful execution of malicious code. 10. Establish incident response plans specific to ransomware attacks, including containment and eradication procedures.