Skip to content

S0078 Psylo

Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. 1

Item Value
ID S0078
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Psylo uses HTTPS for C2.1
enterprise T1041 Exfiltration Over C2 Channel Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.1
enterprise T1083 File and Directory Discovery Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.1
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory.1
enterprise T1105 Ingress Tool Transfer Psylo has a command to download a file to the system from its C2 server.1

Groups That Use This Software

ID Name References
G0029 Scarlet Mimic 1