Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	Scarlet Mimic (0da10682-85c6-4c0b-bace-ba1f7adfb63e)	Threat Actor	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	1
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3