Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]

ID: G0029
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1036 .002 Masquerading: Right-to-Left Override

Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.[1]


ID Name References Techniques
S0077 CallMe [1] Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Ingress Tool Transfer
S0076 FakeM [1] Data Obfuscation: Protocol Impersonation, Encrypted Channel: Symmetric Cryptography, Input Capture: Keylogging, Non-Application Layer Protocol
S0079 MobileOrder [1] Browser Information Discovery, Data from Local System, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Process Discovery, System Information Discovery
S0078 Psylo [1] Application Layer Protocol: Web Protocols, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer