Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	1
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Scarlet Mimic (0da10682-85c6-4c0b-bace-ba1f7adfb63e)	Threat Actor	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3