Koushik Pal

CloudSEK discovered a new Epsilon Red ransomware campaign targeting users globally via fake ClickFix verification pages. Active since July 2025, threat actors use social engineering and impersonate platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files through ActiveX. This leads to silent payload downloads and ransomware deployment. Users are urged to disable ActiveX, block attacker IPs, and train against such lures.

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.