{
	"id": "7e7b2bda-2bf4-4cb5-b675-c3ed239c75f9",
	"created_at": "2026-04-23T02:53:57.531795Z",
	"updated_at": "2026-04-25T02:18:47.292765Z",
	"deleted_at": null,
	"sha1_hash": "10d4af6005171e665ebfc907f4b611a1a95f0e23",
	"title": "7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 161640,
	"plain_text": "7 Years of Scarlet Mimic’s Mobile Surveillance Campaign\r\nTargeting Uyghurs\r\nBy etal\r\nPublished: 2022-09-22 · Archived: 2026-04-23 02:22:56 UTC\r\nIntroduction\r\nIn 2022, Check Point Research (CPR) observed a new wave of a long-standing campaign targeting the Uyghur\r\ncommunity, a Turkic ethnic group originating from Central Asia, one of the largest minority ethnic groups in\r\nChina. This malicious activity, which we attributed to the threat actor Scarlet Mimic, was first brought to light\r\nback in 2016.\r\nSince then, CPR has observed the group using more than 20 different variations of their Android malware,\r\ndisguised in multiple Uyghur-related baits such as books, pictures, and even an audio version of the Quran, the\r\nholy text of the Islamic faith. The malware is relatively unsophisticated from a technical standpoint. However, its\r\ncapabilities allow the attackers to easily steal sensitive data from the infected device, as well as perform calls or\r\nsend an SMS on the victim’s behalf and track their location in real-time. Also, it allows audio recording of\r\nincoming and outgoing calls, as well as surround recording. All this makes it a powerful and dangerous\r\nsurveillance tool.\r\nIn this report, we present a technical analysis and describe the evolution of the campaign in the last seven years.\r\nAlthough a small part of this campaign was briefly discussed in Cyble’s publication as an isolated and unattributed\r\nincident, in this article we put the whole campaign in perspective and outline almost a decade’s worth of persistent\r\nefforts in phone surveillance of the Uyghur community.\r\nOverview of the campaign\r\nSince 2015, CPR has identified more than 20 samples of Android spyware called MobileOrder, with the latest\r\nvariant dated mid-August 2022. As there are no indications that any of them were distributed from the Google\r\nStore, we can assume the malware is distributed by other means, most likely by social engineering campaigns. In\r\nmost cases, the malicious applications masquerade as PDF documents, photos, or audio. When the victim opens\r\nthe decoy content, the malware begins to perform extensive surveillance actions in the background. These include\r\nstealing sensitive data such as the device info, SMS and calls, the device location, and files stored on the device.\r\nThe malware is also capable of actively executing commands to run a remote shell, take photos, perform calls,\r\nmanipulate the SMS, call logs and local files, and record the surround sound.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 1 of 25\n\nFigure 1 – MobileOrder malware samples observed in the wild.\r\nAll the samples are based on the code of the MobileOrder malware from 2015, although during the ensuing years\r\nsome changes were introduced by the developers. A few of these changes were clearly developed to reduce the\r\nchances of the malware being detected by security solutions: the malware authors experimented with ways to hide\r\nthe malicious strings (which indicate the malware’s intentions), first by moving them to the resources section, and\r\nlater encoding them in base64.\r\nThe actors also added a few adjustments and features to gather more information from their victims’ devices. One\r\nnew aspect is to move from using AMAP SDK, an Android SDK used to identify geolocation, to using the\r\nstandard Android LocationListener implementation. This allows the attackers to track their target’s location in\r\nreal-time instead of an on-demand basis.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 2 of 25\n\nFigure 2 – Evolution of the Android malware.\r\nThe MobileOrder malware, despite being actively used and updated, still does not support modern Android OS\r\nfeatures, such as runtime permissions or new intent for APK installation, and does not use techniques common to\r\nmost modern malware such as accessibility usage, avoiding battery optimization, etc.\r\nWe are not able to identify which attacks have been successful, however, the fact that the threat actors continue to\r\ndevelop and deploy the malware for so many years suggests that they have been successful in at least some of\r\ntheir operations.\r\nTechnical analysis\r\nWhen the victim opens the lure, whether it is a document, picture, or audio file, it actually launches the malicious\r\napplication, which in turn opens a decoy document to distract the victim from background malicious actions.\r\nSome of the versions also ask for Device Admin and root access, which not only gives the malware full access to\r\nthe device, but also prevents the victim from easily uninstalling the application:\r\nFigure 3 – Device admin activation and superuser request.\r\nThe malware then hides its icon and launches two services: core and open. The open service is responsible for\r\nshowing the victim the decoy content (a PDF file or an image or an audio record) which is stored in res/raw/,\r\nres/drawable/ or assets:\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 3 of 25\n\nFigure 4 – Malware code that displays a decoy picture from February 2022 version.\r\nThe core service launches the Communication thread, which connects to the C\u0026C (command \u0026 control) server\r\nand processes the commands received, and the KeepAlive thread, which periodically triggers a connection to the\r\nserver and relaunches the parent service.\r\nFigure 5 – The service that starts the Communication and KeepAlive threads.\r\nHowever, the KeepAlive thread is not the only one responsible for keeping the malware active. The malware\r\ndeveloper also created BroadcastReceiver that starts the core Service. The triggers for this receiver are numerous\r\nactions registered in the AndroidManifest, making sure the malware stays active all the time.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 4 of 25\n\nFigure 6 – AndroidManifest.xml specifying triggers for the BroadcastReceiver which is responsible for keeping the\r\nmalware alive.\r\nC\u0026C Communication\r\nDepending on the sample, the malware can use a hardcoded list of C\u0026C servers, dead drop resolvers, or both.\r\nFirst, the malware starts the process of resolving the C\u0026C server, which includes decoding the built-in C\u0026C\r\naddresses and, where it is defined, extracting the C\u0026C server from dead drop resolvers which point to additional\r\nC\u0026C infrastructure.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 5 of 25\n\nFigure 7 – The malware decodes the hardcoded C\u0026C domains and the C\u0026C server from the dead drop resolver.\r\nThe use of dead drop resolvers helps prevent the infrastructure from being easily discovered through static\r\nanalysis, but also enables operational resiliency as this infrastructure may be dynamically changed. All the\r\nversions of the malware that make use of dead drop resolvers query different posts on the Chinese Sina blog\r\nplatform.\r\nDead drop resolvers\r\nFirst, the malware requests a specific blog page:\r\nFigure 8 – Dead drop resolver on a Sina blog post.\r\nThen it searches the received HTML for a specific base64-encoded regex pattern and decodes it to get the real\r\nC\u0026C IP address and port.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 6 of 25\n\nFigure 9 – The code responsible for regex pattern matching of the dead drop resolvers.\r\nIn this specific example, the string MjA5Ljk3LjE3My4xMjQ6MjY3NQ== is decoded to 209.97.173.124:2675 . The\r\nmalware then creates a socket connection to the specified IP and port.\r\nEncryption\r\nTo secure communication with the C\u0026C server, the malware encrypts the data with AES. The key is generated in\r\nruntime from an encrypted passphrase inside dex by calculating the MD5 digest:\r\nFigure 10- AES key generation.\r\nCommand execution\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 7 of 25\n\nAfter successfully connecting to the C\u0026C, the malware processes commands from the remote server. It first reads\r\na command, then an argument size, and finally the actual encrypted arguments.\r\nThis is the full list of commands:\r\nCommand\r\nID\r\nDescription\r\n64 Send a list of files from the specific path.\r\n65 Send a list of processes running on the device.\r\n67\r\nSend device and connectivity information (IMEI, Phone Number, Network type, Accounts,\r\nInstalled applications, Browser history and others).\r\n68 Delete specific files on the device.\r\n69 Upload files from a specified path on the device to the C\u0026C server.\r\n70 Download files from the C\u0026C server (any file type).\r\n71 Upload all SMS messages.\r\n72 Upload all Contacts.\r\n73 Upload all Call Logs.\r\n74 Take a photo from the camera.\r\n77 Start Audio Recording task (immediately or at a specified time).\r\n78 Start “Network” location updates and send cell location info immediately.\r\n79 Start “GPS” location updates.\r\n82 Install APK (silently or via UI).\r\n83 Uninstall the application (silently or via UI).\r\n84 Execute “ chmod -R 777 ” to a specific path via su .\r\n85 Launch a specific application on the device.\r\n86 Send Broadcast with a specific action to trigger other applications.\r\n87 Run shell command.\r\n88 Change the minimal time interval between a location updates.\r\n89 Disable location tracking.\r\n91 Check if a screen is on.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 8 of 25\n\n92 Send SMS to a specific number.\r\n93 Delete specific SMS.\r\n94 Perform call to a specific number.\r\n96 Delete a specific call log.\r\n97 Update the C\u0026C list.\r\n98 Take a screenshot.\r\nAs we can see from this list, the malware contains stealer functionality to upload all kinds of sensitive data from\r\nthe device (device info, SMS, calls, location, etc.), but also provides RAT functionality by executing active\r\ncommands on the device such as remote shell, file downloading, taking photos, performing calls, manipulating the\r\nSMS and call logs, etc. In the next sections, we analyze the most important functions.\r\nSMS and Call Logs manipulation\r\nThe malware has commands to upload all the SMS and call logs to the attackers’ server. In addition, it provides\r\nthe functionality to send text messages or perform a call to a specific number. This allows the actors to conduct\r\nfurther malicious activity against additional targets by impersonating the current victim, using his name, phone\r\nnumber and credibility. This drastically increases the chances of success.\r\nTo hide these actions from the victim, the attackers may use commands to remove the last messages or call logs so\r\nthat no traces of their interactions with third parties are left on the device.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 9 of 25\n\nFigure 11- Malware code responsible for running calls / sending SMS from a victim’s device and functions to\r\ncover the evidence of these actions.\r\nLocation tracking\r\nThe malware can collect the victim’s device location and track its changes over time. When it is launched, the\r\nmalware registers a location listener, which means Android will trigger this listener every time the location is\r\nchanged.\r\nThe malware collects latitude, longitude, altitude, speed, bearing, accuracy, and the provider (GPS or network)\r\nthat supplied these results. It also tries to convert the current location from latitude and longitude coordinates to a\r\nphysical address using the Geocoder class. The number of details and the precision of this reverse geocoding\r\nprocess may vary. For example, one set of coordinates can be translated to the full street address of the closest\r\nbuilding, while another might contain only a city name and a postal code.\r\nThe geolocation data is immediately sent by the spyware to the remote server. Additionally, the malicious\r\napplication also writes this data with a timestamp to the file called map.dat, thereby continuously collecting and\r\nsaving the victim’s geolocation. Even if the internet connection on a victim’s devices or to the C\u0026C server is\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 10 of 25\n\nunavailable, the file with all the geolocation information is continuously updated and is uploaded to the attacker-controlled server when the connection is restored.\r\nFigure 12 – Location updates processing and reverse geocoding.\r\nThe attackers can also configure the Location listener parameters remotely:\r\nChange the minimal interval between the location updates – This allows the actors to decrease the number\r\nof updates but can still track the victim.\r\nChange the provider for location tracking between GPS (based on satellite usage) or network (based on the\r\navailability of cell towers and WiFi access points).\r\nBefore the malware developers started to utilize the standard Android LocationListener, the malware used a third-party SDK called AMAP to track the victim’s location. The overall idea is similar: when the malicious app\r\nreceives a command from the attackers’ server to start tracking the device’s location, it subscribes to location\r\nupdates from the AMAP SDK. This way, at every location change, the malware writes the current location with a\r\ntimestamp to the map.dat file and stores it as a variable.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 11 of 25\n\nFigure 13 – Device location tracking in the versions that use the AMAP SDK\r\nAs a result, the attackers can send commands from the remote server to read the current location or to request a\r\nfull tracking file.\r\nTo summarize, in the most recent versions, the malware developers added the ability to track their target’s location\r\nin real-time. The malware sends location updates on its own, compared to previous versions where the server\r\nneeded to send additional commands to get the location information.\r\nCall recording and file upload\r\nTo record both incoming and outgoing calls from the infected device’s microphone, the malware uses a\r\nBroadcastReceiver called CallRecorder. It monitors the phone state and saves the call records locally to the db\r\nfile, so that it can be uploaded later to the attacker-controlled remote server by issuing the “upload file” command.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 12 of 25\n\nFigure 14 – The malware code responsible for recording the incoming and outgoing calls.\r\nSurround recording\r\nBesides recording incoming and outgoing calls, the attackers can start surround recording remotely by issuing a\r\nrelevant command from the C\u0026C server.\r\nWhen the command is received, the malware gets as an argument the desired duration and the specified delay\r\nbefore the recording starts. If there is no delay specified, it launches a thread that immediately starts to record.\r\nOtherwise, it creates a PendingIntent for the BroadcastReceiver that is registered in AlarmManager – and as a\r\nresult, triggers a recording in the specified time.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 13 of 25\n\nFigure 15 – Starting audio recordings.\r\nAfter the AudioRecording thread performs the recording with the specified duration, it saves it to the db file with\r\nthe timestamp:\r\nFigure 16 – Surround recording implementation.\r\nAs the recorded files may be quite large, we would expect to see some restrictions in the code on how the resulting\r\nfiles are exfiltrated (for example, upload the files only via Wi-Fi networks), but there are no such limitations in the\r\ncode. However, there is no automatic upload for the recorded calls. The attackers decide when to exfiltrate the\r\nfiles, so they could send a command to get device information (which contains the current network connection\r\ntype) and then exfiltrate the files from the device when convenient.\r\nBecause the attackers have updated information about the victim’s location, they can choose the opportune\r\nmoment to record offline private conversations, which affects not only the victim’s privacy but also that of\r\nunsuspecting third parties.\r\nRemote shell\r\nThe malware can receive commands to execute a remote shell, which is done by starting a thread that, in turn,\r\nstarts a shell process and establishes a socket connection to the same C\u0026C server, but over a different port. The\r\nshell’s output is redirected to the socket output stream from which the malware reads the commands, then decrypts\r\nand executes them:\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 14 of 25\n\nFigure 17 – Remote shell execution.\r\nDrop additional APK\r\nWhen it receives a command to install an APK, the malware starts a thread that checks if it has enough privileges\r\nto install the application silently. If the check fails, the malware launches a regular UI installation via intent:\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 15 of 25\n\nFigure 18 – Silent apk installation via PackageManager.\r\nUninstalling an application performs exactly the same logic.\r\nAttribution\r\nThe first report that summarized the activity of Scarlet Mimic and various elements of this threat was published in\r\n2016. It reviewed a series of persistent attacks that targeted Uyghur and Tibetan minority rights activists as well as\r\nthose who support their cause.\r\nThe group’s arsenal at that point included multiple Trojans and tools for Windows and macOS. In 2015, the actors\r\nstarted to expand their espionage efforts from PCs to mobile devices using the spyware called MobileOrder, which\r\nfocused on compromising Android devices. Based on the code similarity, shared infrastructure and victimology,\r\nwe conclude that the new wave of attacks belongs to the same threat actor and that the group continues to deploy\r\nand develop MobileOrder malware until this day. In addition to clear code overlaps, we observed multiple\r\noverlaps in the infrastructure between the new samples and the old MobileOrder malware variant, as well as\r\nmultiple variants of Windows Psylo Trojan previously attributed to Scarlet Mimic, that interact with the same\r\nmalicious domains as the mobile malware.\r\nIn late 2017, Lookout research published their report on another cluster of malicious activity, which relied on\r\nJadeRAT Android malware to target the Uyghur community. This campaign “had some overlap [with\r\nScarletMimic] around the apps they trojanized, the likely groups they targeted, their capabilities, and to some\r\nextent their implementation.”\r\nTogether with the evidence of the ongoing campaign using Android spyware provided in this report, this\r\nemphasizes the heavy shift of activity targeting these minority groups towards mobile surveillance in the last few\r\nyears.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 16 of 25\n\nCode overlaps\r\nThe MobileOrder from the 2015 report also started by registering itself as a device admin with admin privileges to\r\nsecure its persistence and to lay a proper foundation for the rest of the malware’s functionalities:\r\nFigure 19 – MobileOrder sample from 2015 (md5: a886cbf8f8840b21eb2f662b64deb730) requesting device\r\nadmin privileges vs the sample from April 2020 performing the same request (right)\r\nThe 2015 version of MobileOrder masqueraded as a PDF document, with an embedded PDF called rd.pdf in\r\nthe application’s resources. This is similar to all the new samples in the ongoing campaign where the decoy\r\ncontent is PDF files. The bait PDF extracted from the malware resources is written to the device’s SD card and\r\ndisplayed to the victim while executing the malicious actions in the background:\r\nFigure 20 – APK structure and the decoy PDF file location in 2015 sample of MobileOrder and August 2022\r\nsample (right).\r\nThe main communication thread, which is responsible for communicating with a C\u0026C server via socket and\r\nprocessing received commands, also did not change much over time, although many of the commands themselves\r\nchanged the command id, and a few more functionalities were added.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 17 of 25\n\nFigure 21 – Command processing in MobileOrder from 2015 vs commands processing in newer samples\r\n(deobfuscated code).\r\nVictimology and lures\r\nMost of the malicious applications we observed have names in the Uyghur language, in its Arabic or Latin scripts.\r\nThey contain different decoys (documents, pictures, or audio samples) with content related to the ethnic\r\ngeopolitical conflict centered on Uyghurs in China’s far-northwest region of Xinjiang, or with the religious\r\ncontent referencing the Uyghurs’ Muslim identification. We can therefore conclude that this campaign is likely\r\nintended to target the Uyghur minority or organizations and individuals supporting them, which is consistent with\r\nthe Scarlet Mimic group’s previously reported activity.\r\nA few interesting examples of decoys used by the actor over the years include:\r\nThe sample with the original name “photo” (md5:a4f09ccb185d73df1dec4a0b16bf6e2c) contains the\r\npicture of Elqut Alim, the “New Chief Media Officer” of the Norwegian Youth Union who call themselves\r\n“a group of Uyghur youth who live in Norway with a common understanding and a common goal, which is\r\nto stand up against China’s invasion of East Turkestan.” The malware was uploaded to VT with the name\r\nin Uyghur Latin and a fake “.jpg” extension.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 18 of 25\n\nFigure 22 – Decoy image from the sample a4f09ccb185d73df1dec4a0b16bf6e2c.\r\nThe application named ئۇرۇشى پارتىزانلىق “which translates from Uyghur to “Guerrilla Warfare” (md5:\r\nb5fb0fb9488e1b8aa032d7788282005f) contains the PDF version of the short version of the military course\r\nby Yusuf al-Ayeri, the now deceased first leader of Al-Qaeda in Saudi Arabia, which outlines the tactical\r\nmethods of guerrilla warfare.\r\nFigure 23 – The lure PDF containing the materials by the military wing of Al-Qaeda.\r\nAnother sample called “rasimim” (“pictures” in Uyghur, sample\r\nmd5:06c8c089157ff059e78bca5aeb430810) contains multiple pictures referring to the escalated tensions in\r\nXinjiang Uygur Autonomous Region in May 2014, including the deployment of special police forces next\r\nto the Urumqi Railway Station and the medical evacuation after a terrorist attack in a street market.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 19 of 25\n\nFigure 24 – The lure pictures of escalations in Urumqi, the capital of Xinjiang.\r\nThe sample called “The China Freedom Trap” (md5: a38e8d70855412b7ece6de603b35ad63) masquerades\r\nas a partial PDF of the book with the same name written by Dolkun Isa, politician and activist from the\r\nregion of Xinjiang and the current president of the World Uyghur Congress:\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 20 of 25\n\nFigure 25 – The cover of the lure PDF.\r\nThe sample called “quran kerim” which translates as “Noble Quran” (md5:\r\nf10c5efe7eea3c5b7ebb7f3bf7624073) uses as a decoy an mp3 file of a recorded speech in what seems to be\r\na Turkic language.\r\nSome of the other lures include the pictures of unidentified individuals, and as reverse search engines fail to trace\r\ntheir origin, we can assume that these pictures are borrowed from the private profiles of these individuals in some\r\nsocial networks or were stolen from their mobile devices as a result of the spyware deployment.\r\nIt’s interesting that one of the samples, called “القائمة”) “The list” in Arabic) with the package name\r\ncom.sy.go.immx (md5:7bf2ca0e7242cabcee8d3bb37ac52fc7) doesn’t follow the pattern of referencing Uyghurs.\r\nThe name and the lure of this application is in Arabic, and the lure document contains a picture of a list of persons\r\nwanted by Shabwah Governorate in Yemen for threatening the security and stability of the province. This may\r\nindicate the additional targeting of individuals or organizations located in a different geographical zone and\r\ninvolved in another conflict.\r\nConclusion\r\nOver the years, Scarlet Mimic strongly continues its espionage operations against the Uyghur community using\r\nAndroid malware. The persistence of the campaign, the evolution of the malware and the persistent focus on\r\ntargeting specific populations indicate that the group’s operations over the years are successful to some extent.\r\nThis threat group’s shift in their attack vector into the mobile sector provides another evidence of a growing\r\ntendency of extensive surveillance operations executed on mobile devices as the most sensitive and private assets.\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 21 of 25\n\nCheck Point’s Harmony Mobile helps securing mobile devices across all attack vectors: apps, network and\r\nOS and protects against Android malware such as the one used on this campaign.\r\nHarmony Mobile leverages Check Point’s ThreatCloud and award-winning file protection capabilities to\r\nblock the download of malicious files to mobile devices and prevent file-based cyber-attacks, such as the\r\none’s described on this blog.\r\nIOCs\r\nSHA256 Package Name\r\nfd99acc504649e8e42687481abbceb71c730f0ab032357d4dc1e95a6ef8bb7ca com.emc.pdf\r\n89f350332be1172fc2d64ac8ecd7fd15a09a2bd6e0ab6a7898a48fb3e5c9eac3 pw.nrt.photo.google\r\n84ce04fd8d1c15046e7d50cd429876f0f5fbca526d7a0a081b6b9a49fe66131f com.sy.go.immx\r\nf876b2a60d4cf7f88925f435f29f89c0393f57a59ec46d490c7e87821f29fc0f com.pdf.google.vv\r\nc2cd40f1c21719d4611ff645c7f960d0070c19e8ad12cc55aded7b5a341c89a3 com.pdf.google.vm\r\n2e94183fcbc3381071d023a030640aaef64739006b6c22603b94b970cebeeec2 com.pdf.google.vm\r\n73729646a7768a5bd4c301842c19b3b16bb190e435af466a731ad36544982098 com.pdf.google.vm\r\n13e457ce16c0fe24ad0f4fe41a6ad251ebffb2fdaaebe7df094d7852ba0cfdc6 com.photo.android.p\r\n155d0707858cbb18ed5ecb4d98009288e4c5a1e68275d9db5b2390f204636431 com.update.google\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 22 of 25\n\nSHA256 Package Name\r\n0703185a3e206b8da96a86f4bbcb750b48bbec8b2fc2598eed8603e4027cf4ae com.photo.android.p\r\nbe0ae4394b8592cd1325b86669fa78f9ccd320d23f839e81001138be914a760f com.photo.android.p\r\n990e50ce20706be80b4d62367ff6ed615d6dd04551b42cfd80b1a8950065b646 com.photo.android.p\r\n633739c3b51715516fb226b3b9c693530d8ef715ac19093cdf6aaf108149b91f com.view.openpdf\r\ne959dc221a8667cde8b9ff080d078e60ed1e8bf5a3c6f1f352919c9b8f696830 com.view.openpdf\r\ne3ee0ccfb01e2effd49feddb252781baa2a05f8360d5cf949d09e3add1e73e4d com.photo.android.p\r\n126e41c231c1b5a25584e27d47132d0d243da155e6a70517d08dbf611201fdca com.photo.android\r\ned3aa8e58d65c81df2f18e970456225b7c2b78e4add4dea556298a915b8fef1a com.photo.android\r\n35adf82e2ace8fe0ddfd50b21dad274df40696f5dfcdf7372fe63eed8bbed869 com.photo.android\r\n03004ccc23033a09532bea7dfa08c8dfa85814a15f5e3aedb924a028bcd6f908 com.view.openpdf\r\nafcbf339d1c0a6174f93425cd1b8ba50979132856f0c333865a62d7c6e8a3084 com.photo.android\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 23 of 25\n\nSHA256 Package Name\r\n91c34071622b678b2f64a8b896c7898cceff658764eb0ae5e100b3d4d868a664 com.photo.android\r\n549ea085fbb23729ee000721938d95ea38ff2e70a63af1d4aa8db6b7b3458f6f com.photo.android\r\nba08ee68d9218e0aaa3384bcb2ab281fd8273fe40aee65c300adbf85120cbc7b com.lppads.android\r\nIndicator Type\r\nadfgasfasfasf123[.]com C\u0026C\r\nblackbeekey[.com C\u0026C\r\nfly100.dellgod[.]net C\u0026C\r\nislam.ansardawlatalislam[.]com C\u0026C\r\nk7k7[.]co C\u0026C\r\nmobile.muslimbro[.]org C\u0026C\r\nziba.lenovositegroup[.]com C\u0026C\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 24 of 25\n\nIndicator Type\r\n209.97.173[.]124 C\u0026C\r\n45.32.112[.]182 C\u0026C\r\nhttp://blog.sina.com[.]cn/u/5241106671 Dead drop resolver\r\nhttp://blog.sina.com[.]cn/u/5955775229 Dead drop resolver\r\nhttp://blog.sina[.]cn/dpool/blog/s78u Dead drop resolver\r\nhttp://blog.sina.com[.]cn/u/5926910809 Dead drop resolver\r\nSource: https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nhttps://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/"
	],
	"report_names": [
		"never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs"
	],
	"threat_actors": [
		{
			"id": "8c5c318c-0e71-4184-92bb-d1c28f68a411",
			"created_at": "2022-10-25T15:50:23.692481Z",
			"updated_at": "2026-04-25T02:00:04.193811Z",
			"deleted_at": null,
			"main_name": "Scarlet Mimic",
			"aliases": [
				"Scarlet Mimic"
			],
			"source_name": "MITRE:Scarlet Mimic",
			"tools": [
				"Psylo",
				"MobileOrder",
				"CallMe",
				"FakeM"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cac03bbf-0c42-470d-951e-0e92656be6cb",
			"created_at": "2023-01-06T13:46:38.463275Z",
			"updated_at": "2026-04-25T02:00:02.854662Z",
			"deleted_at": null,
			"main_name": "Scarlet Mimic",
			"aliases": [
				"G0029",
				"Golfing Taurus"
			],
			"source_name": "MISPGALAXY:Scarlet Mimic",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9fc2aed1-c838-41e9-b469-922e7bab6f94",
			"created_at": "2022-10-25T16:07:24.162936Z",
			"updated_at": "2026-04-25T02:00:04.720968Z",
			"deleted_at": null,
			"main_name": "Scarlet Mimic",
			"aliases": [
				"G0029",
				"Golfing Taurus"
			],
			"source_name": "ETDA:Scarlet Mimic",
			"tools": [
				"BrutishCommand",
				"CallMe",
				"CrypticConvo",
				"Elirks",
				"FakeFish",
				"FakeHighFive",
				"FakeM",
				"FakeM RAT",
				"FullThrottle",
				"HTran",
				"HUC Packet Transmit Tool",
				"MobileOrder",
				"Psylo",
				"RaidBase",
				"SkiBoot",
				"SubtractThis",
				"Terminator RAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1776912837,
	"ts_updated_at": 1777083527,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10d4af6005171e665ebfc907f4b611a1a95f0e23.pdf",
		"text": "https://archive.orkl.eu/10d4af6005171e665ebfc907f4b611a1a95f0e23.txt",
		"img": "https://archive.orkl.eu/10d4af6005171e665ebfc907f4b611a1a95f0e23.jpg"
	}
}