Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Scarlet Mimic (0da10682-85c6-4c0b-bace-ba1f7adfb63e)	Threat Actor	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	1
Scarlet Mimic - G0029 (c5574ca0-d5a4-490a-b207-e4658e5fd1d7)	Intrusion Set	CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	1
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
Psylo - S0078 (dfb5fa9b-3051-4b97-8035-08f80aef945b)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	MobileOrder - S0079 (463f68f1-5cde-4dc2-a831-68b73488f8f4)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	FakeM - S0076 (bb3c1098-d654-4620-bf40-694386d28921)	Malware	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	2
CallMe - S0077 (cb7bcf6f-085f-41db-81ee-4b68481661b5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3