RedAlert
RedAlert is a name used in the provided content for at least two distinct malware contexts. First, RedAlert is described as a ransomware family, specifically a Linux locker variant targeting VMware ESXi servers. Reporting cited in the content notes significant code overlap between RedAlert and the PolyVice ransomware variant, suggesting they were developed by the same developer or developer group. RedAlert is also listed among ransomware families observed targeting ESXi environments, and Microsoft reportedly stated that Vice Society adopted the RedAlert variant in late September 2022. The content further states that Vice Society has a history of deploying third-party lockers including RedAlert.
Second, the content describes a malicious RedAlert Android APK observed by Palo Alto Networks Unit 42. This APK impersonated Israel’s official missile alert application and was distributed via Hebrew-language SMS links. Once installed, it collected sensitive device and user information including contacts, SMS logs, IMEI numbers, and email credentials. The APK reportedly used encrypted exfiltration mechanisms and anti-analysis protections.
Because the supplied material uses the same name for both an ESXi-targeting ransomware/locker and a malicious Android trojanized APK, attribution and classification should be handled carefully to avoid conflating the two. High-confidence details directly supported by the content are that RedAlert has been associated with VMware ESXi-targeting ransomware activity and separately with an Android impersonation malware campaign using SMS-based delivery and data theft capabilities.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We identified significant overlap in the encryption implementation observed in the “RedAlert” ransomware, a Linux locker variant targeting VMware ESXi servers, suggesting that both variants were developed by the same group of individuals.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A third-party ransomware locker delivered in Vice Society attacks.
Malicious Android APK masquerading as Israel’s official missile alert application, distributed via Hebrew-language SMS links. It harvests device/user data (contacts, SMS logs, IMEI) and email credentials, and uses encrypted exfiltration plus anti-analysis protections.
A malicious Android APK masquerading as Israel’s official missile alert application. It harvests device and user data including contacts, SMS logs, IMEI numbers, and email credentials, and uses encrypted exfiltration plus anti-analysis features.
A non-Babuk-based ransomware strain targeting VMware ESXi virtual machines.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.