Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. ^[1]

ID: G0029

Version: 1.2

Created: 31 May 2017

Last Modified: 25 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1036	.002	Masquerading: Right-to-Left Override	Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.^[1]

Software

ID	Name	References	Techniques
S0077	CallMe	^[1]	Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Ingress Tool Transfer
S0076	FakeM	^[1]	Data Obfuscation: Protocol or Service Impersonation, Encrypted Channel: Symmetric Cryptography, Input Capture: Keylogging, Non-Application Layer Protocol
S0079	MobileOrder	^[1]	Browser Information Discovery, Data from Local System, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Process Discovery, System Information Discovery
S0078	Psylo	^[1]	Application Layer Protocol: Web Protocols, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer

References

Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.

Scarlet Mimic

Enterprise Layer

Techniques Used

Software

References