Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareExploits 1 CVE

Epsilon Red

Epsilon Red is a ransomware family first observed in 2021. It was identified by Sophos as a Go-based ransomware used as the final payload in a hand-controlled intrusion against a U.S. hospitality organization. In that intrusion, the attackers likely gained initial access through an unpatched Microsoft Exchange server, potentially via the ProxyLogon exploit chain, then used WMI to deploy tooling and execute a PowerShell orchestrator named RED.ps1 across reachable Windows hosts. RED.ps1 unpacked a 7z archive into system32, created scheduled tasks to run multiple scripts, and prepared systems for encryption by deleting shadow copies, clearing Windows event logs, disabling protections including Windows Defender, killing processes and services associated with security, backup, database, and business software, and modifying Windows Firewall rules to block most inbound TCP ports while leaving 3389/TCP and 5650/TCP open. The intrusion also involved installation of Remote Utilities and Tor Browser, and Sophos assessed an ancillary p.exe binary as a custom-compiled version of the open-source EventCleaner tool.

The ransomware payload, RED.exe, is a 64-bit Windows executable written in Go, compiled with MinGW, and packed with a modified UPX runtime packer. It uses code from the open-source godirwalk project to enumerate directories and encrypt subfolders in parallel by spawning child processes. It does not make network connections itself and relies on the surrounding PowerShell tooling for preparatory actions. Encrypted files are appended with the .epsilonred extension, and a ransom note is dropped in each folder. Victims were directed to communicate with the operators via the clearnet site epsilons[.]red. Sophos reported the ransom note resembles REvil’s styling, but noted no other obvious similarities beyond that. Based on a cryptocurrency address in the ransom note, Sophos linked at least one victim payment of 4.29 BTC on May 15.

More recent reporting links Epsilon Red to ClickFix-style delivery infrastructure. CloudSEK identified a ClickFix-themed malware delivery site associated with Epsilon Red ransomware activity in which victims were redirected to a secondary page using ActiveXObject("WScript.Shell") to silently execute Windows shell commands. The observed script changed to %userprofile%, downloaded a payload from http://155.94.155[.]227:2269/dw/vir.exe via curl, saved it as a.exe, executed it hidden, and displayed a fake verification message as social-engineering cover. CloudSEK reported related infrastructure impersonating Discord Captcha Bot and services such as Kick, Twitch, Rumble, and OnlyFans, and identified delivery domains including twtich[.]cc and capchabot[.]cc. Reported indicators include MD5 98107c01ecd8b7802582d404e007e493 for an Epsilon Red sample, the payload-hosting/C2 endpoint 155.94.155[.]227:2269, and 213.209.150[.]188:8112. Separate reporting also noted Discord was spoofed in July 2025 for Epsilon Red ransomware distribution.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange Server

Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. ... The ransomware itself, called RED.exe, is a 64-bit Windows executable programmed in the Go language...

via sophos threat researchnews.sophos.com
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

"It appears that an enterprise Microsoft Exchange server was the initial point of entry... It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server."

Execution

3 techniques
T1047Windows Management InstrumentationEvidence1

"From that machine, the attackers used WMI to install other software onto machines inside the network..." and "RED.ps1 ... was executed on the target machines using WMI."

T1053.005Scheduled TaskEvidence1

"It also sets up Scheduled Tasks that run the scripts numbered 1 through 12..." and example schtasks.exe /create ... /sc minute /mo 2 /ru SYSTEM

T1059.001PowerShellEvidence1

"...every other early-stage component was a PowerShell script." and "the threat actors launched a series of PowerShell scripts... that prepared the attacked machines for the final ransomware payload"

Persistence

1 technique
T1053.005Scheduled TaskEvidence1

"It also sets up Scheduled Tasks that run the scripts numbered 1 through 12..." and example schtasks.exe /create ... /sc minute /mo 2 /ru SYSTEM

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

"It also sets up Scheduled Tasks that run the scripts numbered 1 through 12..." and example schtasks.exe /create ... /sc minute /mo 2 /ru SYSTEM

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence1

"The PowerShell scripts also use a rudimentary form of obfuscation... added in some square brackets and braces... then use a command that strips out those brackets."

T1070Indicator RemovalEvidence1

"The red.ps1 script also deletes itself, the .7z archive, and the local copy of 7zip from the system when it runs, removing key evidence."

T1070.001Clear Windows Event LogsEvidence1

"5.ps1 ... delete Windows Event Logs" and "p.exe ... EventCleaner ... to erase or manipulate the contents of Windows event logs" and "wevtutil.exe clear-log ..."

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1

"...code taken from ... godirwalk ... ability to scan the hard drive ... for directory paths and compile them into a list."

Lateral Movement

1 technique
T1021.001Remote Desktop ProtocolEvidence1

"...modify the Windows Firewall rules such that the firewall blocks inbound connections on all TCP ports except ... Remote Desktop Protocol’s 3389/tcp"

Command and Control

1 technique
T1219Remote Access ToolsEvidence1

"...download and install a copy of Remote Utilities and the Tor Browser..." and "The installer was named rutserv.exe"

Impact

3 techniques
T1486Data Encrypted for ImpactEvidence1

"The ransomware then ... encrypts each subfolder separately..." and "After it encrypts each file, it appends a file suffix of '.epsilonred'"

T1489Service StopEvidence1

"1.ps1 ... attempts to kill them" (lists many process name substrings) and "10.ps1 ... suspends the processes..."

T1490Inhibit System RecoveryEvidence1

"2.ps1 ... deleted the Volume Shadow Copies"; "4.ps1 then attempts to delete the Volume Shadow Copies using a different method"; "11.ps1 ... delete Volume Shadow Copies ... wbadmin delete backup ... delete catalog"

Other

2 techniques
T1562.001Disable or Modify ToolsEvidence1

"6.ps1 ... disables Windows defender by setting... DisableAntiSpyware" and "9.ps1 ... attempts to invoke the Uninstaller for security software..."

T1562.004Disable or Modify System FirewallEvidence1

"...executes commands that modify the Windows Firewall rules such that the firewall blocks inbound connections on all TCP ports except..."

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
scworldNews
Oct 6, 2025
Third-party breach hits Discord

Ransomware referenced as being distributed via Discord spoofing.

Read more
the hacker newsNews
Jul 29, 2025
Chaos RaaS Emerges After BlackSuit Takedown, Demanding $300K from U.S. Victims

Ransomware first identified in 2021; leaves a ransom note resembling REvil’s (with minor grammatical improvements). Reported spread via ClickFix-like lures that trick users into downloading malicious HTA files under a CAPTCHA pretext.

Read more
risky biz rssNews
Jul 28, 2025
Risky Bulletin: Old exploit database finds its way online again

Ransomware delivered via ClickFix campaigns, encrypts files and demands ransom.

Read more
cloudsek blogNews
Jul 25, 2025
Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware | CloudSEK

Ransomware family first observed in 2021. In this campaign, it is delivered via ClickFix-themed social engineering pages that use ActiveX (WScript.Shell) to silently execute cmd.exe, download a Windows payload via curl from attacker infrastructure, and run it, leading to file encryption and ransom note deployment.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.