Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Scarlet Mimic (0da10682-85c6-4c0b-bace-ba1f7adfb63e)	Threat Actor	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3