Skip to content

Hide Navigation Hide TOC

Scarlet Mimic (0da10682-85c6-4c0b-bace-ba1f7adfb63e)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same. The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved. The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC. Scarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.

Cluster A Galaxy A Cluster B Galaxy B Level
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set Scarlet Mimic (0da10682-85c6-4c0b-bace-ba1f7adfb63e) Threat Actor 1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware 2
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69) Attack Pattern 2
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware 2
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 2
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7) Intrusion Set FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware 3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5) Malware 3
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware 3
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 3
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4) Malware 3
Protocol Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware 3
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 3
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Protocol Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4