Skip to content

Hide Navigation Hide TOC

Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

Cluster A Galaxy A Cluster B Galaxy B Level
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69) Attack Pattern Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set 1
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set 1
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set 1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 1
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set 1
Scarlet Mimic (0da10682-85c6-4c0b-bace-ba1f7adfb63e) Threat Actor Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set 1
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware 2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 3