Skip to content

G0029 Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. 1

Item Value
ID G0029
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1036 Masquerading -
enterprise T1036.002 Right-to-Left Override Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.1


ID Name References Techniques
S0077 CallMe - Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Ingress Tool Transfer
S0076 FakeM - Protocol Impersonation:Data Obfuscation Symmetric Cryptography:Encrypted Channel Keylogging:Input Capture Non-Application Layer Protocol
S0079 MobileOrder - Browser Bookmark Discovery Data from Local System Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Process Discovery System Information Discovery
S0078 Psylo - Web Protocols:Application Layer Protocol Exfiltration Over C2 Channel File and Directory Discovery Timestomp:Indicator Removal on Host Ingress Tool Transfer


Back to top