Researchers with Symantec have identified a one-click fraud campaign targeting Internet Explorer users in both Japan and China.

The attack involves getting a user to download and run an HTML Application (HTA) file, which Symantec researchers observed occurring on porn video websites, according to a Thursday post

Upon running the HTA file, a non-terminating pop-up window appears and will reappear if the computer is restarted. It asks users to pay to join an adult website and states that the window will go away if a payment is made.

“This attack only affects Internet Explorer users as HTA files need the mshta.exe engine to execute code, which is available only in Internet Explorer,” the post stated, adding that “infected users can delete the registry entry and any files dropped by the script to remove the pop-up window.”