Register to stream ATT&CKcon 2.0 October 29-30


Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [1]

ID: S0078
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1041 Exfiltration Over Command and Control Channel Psylo exfiltrates data to its C2 server over the same protocol as C2 communications. [1]
Enterprise T1083 File and Directory Discovery Psylo has commands to enumerate all storage devices and to find all files that start with a particular string. [1]
Enterprise T1105 Remote File Copy Psylo has a command to download a file to the system from its C2 server. [1]
Enterprise T1071 Standard Application Layer Protocol Psylo uses HTTPS for C2. [1]
Enterprise T1099 Timestomp Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory. [1]

Groups That Use This Software

ID Name References
G0029 Scarlet Mimic [1]