{ "id": "0005dfb9-f390-4706-8e89-b6512e1261cb", "created_at": "2026-04-06T00:10:23.186832Z", "updated_at": "2026-04-10T03:34:27.536316Z", "deleted_at": null, "sha1_hash": "18c45f1e4f572cffc670f0747c46daf617980f53", "title": "Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1787500, "plain_text": "Scarlet Mimic: Years-Long Espionage Campaign Targets Minority\r\nActivists\r\nBy Robert Falcone, Jen Miller-Osborn\r\nPublished: 2016-01-24 · Archived: 2026-04-05 21:12:49 UTC\r\nExecutive Summary\r\nOver the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have\r\ncode named “Scarlet Mimic.” The attacks began over four years ago and their targeting pattern suggests that this\r\nadversary’s primary mission is to gather information about minority rights activists. We do not have evidence\r\ndirectly linking these attacks to a government source, but the information derived from these activities supports an\r\nassessment that a group or groups with motivations similar to the stated position of the Chinese government in\r\nrelation to these targets is involved.\r\nThe goal of this report is to expose the tools, tactics and infrastructure deployed by Scarlet Mimic in order to\r\nincrease awareness of this threat and decrease its operational success through deployment of prevention and\r\ndetection countermeasures. From our vantage point, we are not able to identify which attacks have been successful\r\nagainst which organizations. But the fact that the tools Scarlet Mimic deploys have been under development for\r\nyears suggests an active adversary that has been successful in some percentage of its operations. Based on our\r\nanalysis, we are also seeing Scarlet Mimic start to expand its espionage efforts from PCs to mobile devices,\r\nmarking an evolution in its tactics.\r\nIndividuals and groups of all different types may become the target of cyber espionage campaigns. The most well\r\nknown victims of cyber espionage are typically government organizations or high-tech companies, but it’s\r\nimportant to recognize that espionage-focused adversaries are tasked to collect information from many sources.\r\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those\r\nwho are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority\r\nresiding primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both\r\nalso have history of strained relationships with the government of the People’s Republic of China (PRC), though\r\nwe do not have evidence that links Scarlet Mimic attacks to the PRC.\r\nScarlet Mimic attacks have also been identified against government organizations in Russia and India, who are\r\nresponsible for tracking activist and terrorist activities. While we do not know the precise target of each of the\r\nScarlet Mimic attacks, many of them align to the patterns described above.\r\nThe Scarlet Mimic attacks primarily center around the use of a Windows backdoor named “FakeM.” It was first\r\ndescribed by Trend Micro in 2013 and was named FakeM because its primary command and control traffic\r\nmimicked Windows Messenger and Yahoo! Messenger network traffic to evade detection. We have identified two\r\nsubsequent variants of the FakeM family, which has undergone significant changes since it was exposed in 2013.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 1 of 27\n\nWe have also identified nine distinct “loader” malware families, which Scarlet Mimic appears to use to avoid\r\ndetection when infecting a system.\r\nIn addition to the FakeM variants, Scarlet Mimic has deployed Trojans that target the Mac OS X and Android\r\noperating systems. We have linked these attacks to Scarlet Mimic through analysis of their command and control\r\n(C2) infrastructure.\r\nTo infect individuals with access to the data the actors desire, Scarlet Mimic deploys both spear-phishing and\r\nwatering hole (strategic web compromise) attacks. Using these tactics they can directly target previously identified\r\nindividuals (spear phishing) as well as unidentified individuals who are interested in a specific subject (watering\r\nhole). In their spear phishing attacks, Scarlet Mimic has exploited five separate vulnerabilities. However, in many\r\ncases they chose to forgo exploiting a software vulnerability and used self-extracting (SFX) RAR archives that use\r\nthe Right-to-Left Override character to mask the true file extension, tricking victims into opening executable files.\r\nAs with many other attackers who use spear-phishing to infect victims, Scarlet Mimic makes heavy use of\r\n“decoy” files. These are legitimate documents that contain content relevant to the subject of the spear phishing e-mail. After the system is infected, the malware displays the decoy document to trick the user into believing\r\nnothing harmful has occurred. These decoy documents allow us to identify the theme of the spear phishing e-mail\r\nand in some cases the target of the attack.\r\nThe most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a\r\nsignificant interest in both Muslim activists and those interested in critiques of the Russian government and\r\nRussian President Vladimir Putin. Based on their previous targets we suspect these individuals may be targeted\r\nbased on the information they posses on activist groups.\r\nThe primary source of data used in this analysis is Palo Alto Networks WildFire, which analyzes malware used in\r\nattacks across the world. The system also analyzes malware samples collected through a sharing partnership with\r\nother security vendors, including our partners in the Cyber Threat Alliance. To connect attacks to each other based\r\non malware behavior and command and control infrastructure, we relied on AutoFocus threat intelligence.\r\nAutoFocus users can view all of the files related to Scarlet Mimic and the malware associated with the group\r\nusing the following links:\r\nScarletMimic\r\nFakeM\r\nPsylo\r\nMobileOrder\r\nIntroduction\r\nThe better we can understand the threats to our networks and systems, the more effective we will be at preventing\r\nthose threats. The goal of this report is to help network defenders better understand attacks from a group we have\r\nnamed Scarlet Mimic. This group has been conducting attacks for at least four years using a backdoor Trojan that\r\nhas been under active development. The group primarily deploys spear-phishing e-mails to infect its targets, but\r\nwas also responsible for a watering hole (strategic web compromise) attack in 2013.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 2 of 27\n\nAttacks from this group have been reported publicly in the past, but mostly as disparate, unconnected incidents.\r\nBased on analysis of the data and malware samples we have collected, Unit 42 believes the attacks described\r\nherein are the work of a group or set of cooperating groups who have a single mission, collecting information on\r\nminority groups who reside in and around northwestern China. In the past, Scarlet Mimic has primarily targeted\r\nindividuals who belong to these minority groups as well as their supporters, but we’ve recently found evidence to\r\nindicate the group also targets individuals working inside government anti-terrorist organizations. We suspect\r\nthese targets are selected based on their access to information about the targeted minority groups.\r\nIn the following sections we will describe selected attacks we have identified and who their likely targets are. We\r\nwill also provide detailed analysis of the latest variants of the malware they deploy (known as FakeM) as well as\r\nother associated tools that allow Scarlet Mimic to target Android and OS X devices.\r\nAttacks launched by this group were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan.\r\nSince that reports release, Scarlet Mimic has deployed two additional versions of the malware. They have also\r\ndeployed nine separate “loader” Trojans they use to infect systems with their backdoor.\r\nAttack Details\r\nThe majority of attacks we associate with Scarlet Mimic follow the pattern shown in Figure 1.\r\nFigure 1: “Spear Phishing with Decoy” Attack Pattern Deployed by Scarlet Mimic\r\nThe attacker sends a spear-phishing e-mail with a subject and body content that appeal to the targeted user. This e-mail carries an attachment, which is typically a document that exploits a Microsoft Office vulnerability. The\r\nattachment uses a file name that is related to the e-mail content to trick the user into opening it. If the user opens\r\nthe file and the exploitation is successful, a backdoor Trojan is installed on the system that gives the attacker\r\naccess and a decoy document is displayed to the victim. Decoy documents are typically non-malicious versions of\r\nthe content the user expected to see when opening the attachment.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 3 of 27\n\nMany of the targets and spoofed or compromised sending e-mail addresses have contact information on the\r\nInternet. The apparent sender email usually appears to be someone associated with the accompanying text, when\r\nappropriate, while the target emails are usually also available online tied to target organizations. A small subset of\r\nthe decoys could not be found online and may be from previous compromises by Scarlet Mimic.\r\nMany attackers deploy this particular pattern, as it is often successful at infecting a user without alerting the user\r\nof the infection. This is the exact same pattern, for example, deployed by the attackers in Operation Lotus\r\nBlossom.\r\nWe have identified spear phishing documents from Scarlet Mimic exploiting the following vulnerabilities.\r\nCVE-2012-0158\r\nCVE-2010-3333\r\nCVE-2010-2883\r\nCVE-2010-2572\r\nCVE-2009-3129\r\nWe also know Scarlet Mimic uses a number of toolkits to create documents that contain exploit code to install the\r\nFakeM payload on a compromised system. Unit 42 tracks the toolkits delivering FakeM under the names MNKit,\r\nWingD and Tran Duy Linh. These kits appear to be used by many attack groups, and they alone are not a good\r\nindication of Scarlet Mimic activity.\r\nAdditionally, in many cases these threat actors did not use an exploit document at all, rather they sent self-extracting (SFX) RAR archives that use the Right-to-Left Override character to mask the true file extension. For\r\nexample, the following two filenames of SFX archives used to deliver FakeM contain the RLO character (bolded):\r\nUpdate about the status of Tenzin Delek Rinpoche'ashes%E2%80%AEcod.scr\r\ntepsiliy mezmun.\\xe2\\x80\\xaetxt.scr\r\nEven when no software vulnerability is exploited, the attacks still typically include a decoy document. The content\r\nof most of the decoy documents appear to be available on the open Internet, and the attackers typically made small\r\nmodifications to them.\r\nMany of the targets and spoofed or compromised sending accounts have contact information on the Internet. The\r\napparent sender email usually appears to be someone associated with the accompanying text, when appropriate,\r\nwhile the target emails are usually also available online tied to target organizations. A small subset of the decoys\r\ncould not be found online and may be from previous compromises by Scarlet Mimic. The overarching decoy\r\nthemes were Uyghur-related, anti-Putin, or Al-Qaeda-related. The decoys are often copied from think tanks or\r\nreputable news sources the targets would likely frequent.\r\nIn one instance, the threat actors used content from a New York Times article (Figure 2) on the same day it was\r\npublished.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 4 of 27\n\nFigure 2: Decoy Text Extracted from the New York Times article\r\nFigure 3 shows one of the more common themes used to target Uyghurs and those interested in their cause.\r\nMultiple attacks used press releases or other content related to the World Uyghur Congress.\r\nFigure 3: Decoy using World Uyghur Congress Press Release\r\nIn July of 2015, we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic\r\nexploit document. In this case (Figure 4) the recipient of the e-mail was an individual working for the Russian\r\nFederal Security Service (fsb.ru). The e-mail body requests help dealing with threatening phone calls from an\r\ninternational gang.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 5 of 27\n\nFigure 4: Phishing E-mail send to FSB E-mail Address\r\nAnother attack, sent to an unknown target carried a decoy image (Figure 5) that compared Russian President\r\nVladimir Putin to Adolf Hitler.\r\nFigure 5: Anti-Putin image used as a decoy document\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 6 of 27\n\nIn yet another case, the threat actors used a conference notification from one organization (Figure 6a) and\r\nmodified it to appear as thought it was for an “Islamic Country Muslim Religion Conference” (Figure 6b). This\r\ndocument was particularly poorly altered, as the registration form still contained multiple hints to indicate the\r\ndocument was fraudulent (Figure 6c).\r\nFigure 6a: Original document used as a Psylo decoy\r\nFigure 6b: Modified header and contact email in the decoy\r\nFigure 6c: Bottom of the decoy document with replaced email and non-altered date -- a quick search online shows\r\nthis to be fraudulent\r\nIn total we have collected over 40 individual decoy documents used in these attacks, far more than we can detail\r\nhere.\r\nWe are aware of one case where Scarlet Mimic broke from the spear-phishing pattern described above. In 2013,\r\nthe group deployed a watering hole attack, also known as a strategic web compromise to infect victims with their\r\nbackdoor. The watering hole is an attack vector that involves compromising a website that targeted victims are\r\nlikely to visit in order to infect and gain access to their systems. According to a blog by Websense, threat actors\r\ncompromised the Tibetan Alliance of Chicago’s website to host malicious code that exploited a vulnerability in\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 7 of 27\n\nInternet Explorer (CVE-2012-4969.) Microsoft patched this vulnerability in September 2012, suggesting that this\r\nwatering hole attack used an older vulnerability, which aligns with the threat groups continued use of older\r\nvulnerabilities in their spear-phishing efforts.\r\nMalware Overview\r\nFirst discussed in January 2013 in a Trend Micro whitepaper, FakeM is a Trojan that uses separate modules to\r\nperform its functionality. FakeM’s functional code is shellcode-based and requires another Trojan to load it into\r\nmemory and execute it. There are a variety of different Trojans used to load FakeM, some of which are more\r\ninteresting than others. In this section, we will explore the loader Trojans followed by an analysis of the evolution\r\nof FakeM itself. We end this section with a discussion on tools related to FakeM and used by Scarlet Mimic.\r\nLoader Trojans\r\nFakeM is shellcode-based and therefore requires another Trojan to load FakeM into memory and execute its\r\nfunctional code. Threat actors have developed many different loading Trojans to load FakeM, some of which are\r\nfairly straightforward while others use very clever techniques to avoid detection. Unit 42 tracks the following list\r\nof loader Trojans that Scarlet Mimic has used to execute FakeM:\r\nCrypticConvo\r\nSkiBoot\r\nRaidBase\r\nFakeHighFive\r\nPiggyBack\r\nFullThrottle\r\nFakeFish\r\nBrutishCommand\r\nSubtractThis\r\nIt appears that the threat actors include the loader Trojans in some sort of builder application that allows actors to\r\nquickly create, configure and deploy payloads to execute FakeM. We believe this because many samples that\r\nexecute FakeM have the same exact compilation time but different C2 servers, as seen in the example in Table 1.\r\nThis suggests the actors compile a single sample and use a builder tool to configure individual samples on\r\ndemand.\r\nWe used the loader Trojans to provide a general timeline for the development of FakeM samples, as FakeM is\r\nshellcode-based and does not contain any usable timestamps. The timestamps in the loader Trojans does not\r\nnecessarily correspond to the usage of FakeM, but plotting the compile times of the loaders on a timeline shows\r\nan interesting trend. The scatter plot timeline in Figure 7 shows the known compilation times of the loader Trojans\r\nand the FakeM variant that it executed.\r\nSHA256 Compiled Loader Trojan C2 Domains\r\n5182dc8667432d76a\r\n276dc4f864cdfcef3e4\r\n2013-09-13 08:02:58 CrypticConvo opero.spdns[.]org, firefox.spdns[.]de\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 8 of 27\n\n81783ebaf46d3b139\r\n7080b798f4a\r\n5dade00db195087aa\r\n336ce190b5fd1c2299\r\n2c49556c623b42a9f7\r\n42d73241a7f\r\n2013-09-13 08:02:58 CrypticConvo intersecurity.firewall-gateway[.]com\r\nTable 1: Two samples sharing a compile time yet contain different C2 domains in their configurations\r\nFigure 7: Timeline of compilation of loader Trojans associated with FakeM\r\nBased on the timeline, it appears that the actors were actively developing several of the loaders at the same time\r\nfrom 2009 until the early months of 2014. After the first quarter of 2014, it appears that the actors abandoned\r\ndevelopment of the older loaders in favor of FakeFish, BrutishCommand and SubtractThis. This does not mean\r\nthat actors will not continue to use the older loaders, but it does suggest that the actors will continue including the\r\nnewer or freshly developed loaders in updated builder applications.\r\nThe timeline also presents the possibility that the FakeM developers reacted to the release of Trend Micro’s\r\nFakeM blog and whitepaper. Trend Micro published their analysis of the FakeM Trojan on January 17, 2013\r\n(marked in Figure 7 by a red line) that discussed the original variant of FakeM. Shortly after, the original variant\r\nof FakeM drops off the timeline in favor of the SSL and Custom SSL variants. It is possible that the FakeM\r\ndevelopers saw their tool was exposed and adapted it to avoid detection for continued use as a payload in attacks.\r\nWe cannot be certain if the developers reacted specifically to Trend Micro’s content, as it is possible that they\r\nwere reacting to the increased antivirus detection rate of their tool that resulted from the exposure of the tool.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 9 of 27\n\nRegardless of the specific stimulus, the reaction shows that the FakeM threat actors evolved to avoid\r\ndetection/attribution and to continue their attack campaigns.\r\nThe timeline does have one noticeable outlier, specifically the FakeHighFive sample compiled in September 2009\r\nthat loaded a FakeM SSL sample. We believe this compile time is incorrect, as the C2 domain for this sample,\r\nspecifically press.ufoneconference[.]com, was registered by the threat actor in February 2013. The registration of\r\nthe C2 domain in February 2013 aligns with other compilation times of FakeM SSL, which leads us to the\r\nconclusion that the September 2009 compilation timestamp was modified and/or inaccurate.\r\nMost of the related loader Trojans, such as CrypticConvo, PiggyBack, FullThrottle, FakeHighFive, FakeFish and\r\nRaidBase do little more than load encrypted FakeM shellcode (either from a PE resource or embedded data),\r\ndecrypt it, and execute the resulting shellcode. Other related loading Trojans, such as SubtractThis,\r\nBrutishCommand and SkiBoot employ clever techniques worth discussing.\r\nSubtractThis\r\nThe SubtractThis loader displays a technique that is quite clever. This loader received its name based on a\r\ntechnique it uses to delay before carrying out its main functionality, specifically by requiring the user to hit the\r\nminus (“-“) key. SubtractThis carries out this technique through the following steps:\r\n1. Calls LoadAcceleratorsA function to load the virtual key for the minus character “-“. Example:\r\nLoadAcceleratorsA(hInstance, VK_SUBTRACT);\r\n2. Calls SetTimer function to set up a callback function that will be called in the event that the\r\nLB_FINDSTRING Windows message. Example: SetTimer(0, LB_FINDSTRING_, 10000u, TimerFunc);\r\n3. Creates a continuous loop that starts by calling GetMessageA to obtain Windows messages\r\n4. Calls TranslateAcceleratorA to check Windows message received is VK_SUBTRACT \"-\".\r\n5. Calls the callback function set up in the SetTimer function if the user enters the minus “-“ key.\r\nThis technique requires user interaction, which makes analysis in sandboxes more difficult.\r\nBrutishCommand\r\nThe BrutishCommand loader uses a very interesting method to decrypt the FakeM functional code. The main\r\nfunction in this loader checks the command line arguments passed to it, and if there are none present it will obtain\r\na random number between 0-9 and create a new process using the same executable with this random number as a\r\ncommand line argument.\r\nIf the executable has a command line argument, the Trojan subjects the value to a hashing algorithm and compares\r\nthe hash to 0x20E3EEBA. If the value matches the static hash, the executable will subject the command line\r\nargument to a second algorithm that will produce a value that the Trojan will use as the decryption key to decrypt\r\nthe embedded FakeM shellcode. It essentially brute forces its own decryption key by rerunning itself over and\r\nover until it runs with the correct value is provided on the command line. Unit 42 had not seen this technique used\r\nby other malware families and it introduces a challenging hurdle when attempting to analyze or debug the loader\r\nTrojan.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 10 of 27\n\nSkiBoot Loader\r\nSkiBoot reads the master boot record (MBR) of the system to determine the XOR key that it will use to decrypt\r\nthe FakeM shellcode. It carries out this functionality by calling the ReadFile function to read 512-bytes from\r\n“\\\\.\\PHYSICALDRIVE0” and specifically uses the last byte of the MBR as the encryption key. The last byte of\r\nthe MBR is “\\xAA”, or the second byte of “\\x55\\xAA”, which is the boot signature portion of the MBR.\r\nInstead of using ReadFile, one variant of this loader reads the MBR using DeviceIOControl using the ID_CMD\r\ncontrol code, and accesses a specific offset to obtain the value that it will rotate each byte in the ciphertext within\r\nthe decryption algorithm. The significance of using DeviceIOControl is that the VMware hypervisor responds to\r\nthis API call with a blank buffer instead of the MBR, whereas the Virtualbox hypervisor returns the MBR\r\ncorrectly. It appears that this loader is specifically using the DeviceIOControl API function as a VMware detection\r\ntechnique, suggesting that the developers are well versed in the nuances of the VMware hypervisor and virtual\r\nmachine evasion.\r\nEvolving FakeM: Variants\r\nSince being originally exposed in 2013, authors of FakeM have continuously made changes to the FakeM\r\ncodebase, resulting in multiple variants. Before elaborating on the different variants of FakeM, there are many\r\nsimilarities that remain throughout the various iterations. The architecture has not changed during the evolution of\r\nFakeM, as a modular framework exists in each variant, as seen in Figure 8. The FakeM main module is\r\nresponsible for launching embedded modules, such as a keylogger or for gathering sensitive files. The main\r\nmodule is also responsible for communicating with its C2 servers and handling commands issued by the C2\r\nserver.\r\nFigure 8: FakeM Architecture\r\nAll FakeM variants initiate communications with its C2 server and check the C2’s response for a command. Also,\r\nall FakeM variants share a common command handler with the same capabilities, as seen in Table 2. The limited\r\ncommand set suggests that FakeM’s functionality is obtained by additional assembly code provided by the C2\r\nserver with the 0x211 command. According to Trend Micro’s initial analysis on FakeM, threat actors delivered\r\nand ran additional code that provided further capabilities to the Trojan, such as the ability to run shell commands,\r\nsteal passwords, capture the screen and upload files.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 11 of 27\n\nCommand Description\r\n0x211 Run assembly code directly from the C2.\r\n0x212 Idle. Attempts to receive another command immediately instead of sleeping for 30 seconds.\r\n0x213\r\nSets a flag to end the session with the C2. This will force the Trojan to reestablish a session\r\nwith the C2.\r\n0x214 Exit process.\r\nTable 2: Command handler within all variants of FakeM\r\nNow that we have covered the commonalities between FakeM variants, the following sections will dive into the\r\nspecific variants of FakeM. Unit 42 categorizes the different variations of FakeM based on the method used to\r\ncommunicate with the C2 server, which has changed dramatically over the years.\r\nOriginal FakeM\r\nThe original variant of FakeM generates network beacons to its C2 server that begin with a 32-byte header that in\r\nmost cases is meant to blend into network traffic generated by legitimate applications. Following this 32-byte\r\nheader, the original variant of FakeM includes data encrypted using a custom encryption cipher that uses an XOR\r\nkey of “YHCRA” and bit rotation between each XOR operation.\r\nThe original variant includes the FakeM discovered and published by Trend Micro in 2013, in which the authors\r\nof FakeM first attempted to evade detection of its C2 communications by pretending to be generated by legitimate\r\nmessenger applications, such as MSN and Yahoo! messengers. Figures 9 and 10 show FakeM attempting to\r\nresemble MSN or Yahoo! Messenger traffic, as the first 32-bytes contain data that resemble legitimate traffic\r\ngenerated by these chat programs.\r\nFigure 9: FakeM using fake MSN messenger traffic for C2 communication\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 12 of 27\n\nFigure 10: FakeM using fake Yahoo! Messenger for C2 communication\r\nIn addition to emulating chat programs, FakeM has also included HTML code within the 32-byte header. As you\r\ncan see in Figure 11, the overall structure of the beacon did not change, rather the only differences is the data in\r\nthe header contains HTML tags. The HTML data in the header led Unit 42 to a whitepaper published by\r\nMalware.lu that suggested the MSN, Yahoo, and HTML versions of the original variant of FakeM all share a\r\ncommon server application that the threat actors use to build samples and control infected systems.\r\nFigure 11: FakeM HTML tags in C2 header\r\nIn October 2013, FireEye published a blog about a sample of FakeM that did not use fake messenger or HTML\r\ndata in the first 32 bytes of the C2 traffic, but instead used four repeating bytes to fill this portion of the packet, as\r\nseen in Figure 12. Unit 42 tracks this under the original variant, as it uses the same algorithm to encrypt the data\r\nand otherwise shares a common structure to the MSN, Yahoo, and HTML versions with the exception of the\r\nmodification to the first 32 bytes.\r\nFigure 12: FakeM C2 beacon with four repeating bytes\r\nFakeM SSL\r\nWhile performing infrastructure analysis on FakeM original variants, we came across shared infrastructure with\r\ndomains that hosted C2 servers for malware samples that did not match the known FakeM communication\r\nprotocols. Palo Alto Networks WildFire had analyzed many samples associated with these related C2 domains, all\r\nof which communicated with the C2 server using secure sockets layer (SSL). To determine the malware family\r\nthat was generating this traffic, Unit 42 analyzed these samples and found that the functional code was the same as\r\nthe original FakeM variant.\r\nThis discovery indicates the authors of FakeM introduced new code to the Trojan in order to use SSL to\r\ncommunicate with its C2 server. The drastic change in C2 channel warranted a new variant name, and we dubbed\r\nit “FakeM SSL”. During the analysis of these samples we did not find any operational C2 servers to complete a\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 13 of 27\n\nhandshake to establish a SSL session. During the handshake, the FakeM SSL samples will tell the server it\r\nsupports 36 different cipher suites even though the samples appear to only support one. Unit 42 believes the cipher\r\nsuite within the FakeM SSL variants uses Diffie-Hellman for key exchange and the RC4 cipher to encrypt the C2\r\ncommunications.\r\nFakeM Custom SSL\r\nIn July 2015, Scarlet Mimic delivered a spear-phishing email to a branch of the Russian government with\r\nintentions of installing a payload that was undetected by any antivirus vendors on VirusTotal. The high profile\r\ntarget and the lack of antivirus detection prompted Unit 42 to perform an in-depth analysis and found that it is yet\r\nanother new variant of the FakeM Trojan. We also named this variant after it’s communication protocol (FakeM\r\nCustom SSL.)\r\nThis new variant of FakeM shared the same functional code as its predecessors, but again the communications\r\nwith the C2 dramatically differed from the other variants. Communications between this variant and the C2 server\r\nleverage what Unit 42 believes is modified SSL code, as the code is very similar to the FakeM SSL variant. The\r\ncode appears to use Diffie-Hellman for key exchange and the RC4 algorithm like FakeM SSL; however, the initial\r\npacket sent to the C2 server did not contain a “client hello” message, which is required to initiate an SSL\r\nhandshake. Instead, the initial packet sent data as seen in Figure 13.\r\nFigure 13: Hexdump of FakeM custom SSL variant\r\nThis variant of FakeM skips the traditional SSL handshake, which involves an agreement on a cipher suite to use\r\nto encrypt communications. The FakeM code only supports one cipher suite, which makes the cipher suite\r\nagreement portion of the SSL handshake irrelevant. Instead, FakeM creates a session with its C2 server by\r\nexchanging keys. The lack of a valid handshake makes detection of this C2 stream difficult, as the packets sent\r\nbetween the Trojan and the C2 to establish this session contain random binary data. Network devices will also be\r\nunable to perform any SSL decryption due to the lack of detection and the inability to determine the cipher suite\r\nused to encrypt the data. Figure 14 below provides a visual depiction of the handshake procedure and the\r\nsubsequent beacon and command messages.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 14 of 27\n\nFigure 14: Communications between system and C2 server, including the key exchange\r\nThe handshake starts with a key exchange, which the Trojan initiates by creating a 2048-byte buffer that it will\r\nstore its key (128-bytes, followed by null values as seen in Figure 13) and sending its key to the C2 server. The C2\r\nwill respond with its own key (also 128-bytes, followed by null values) that the Trojan will store and use to\r\nencrypt future communications.\r\nOnce this key exchange is complete, the Trojan acknowledges the receipt of the server’s key by sending another\r\n2048-byte packet to the server. To build the acknowledgement packet, the Trojan creates a 2048-byte buffer filled\r\nwith null values and copies the string “ws32.dll” to offset 8 and encrypts the buffer with the server’s key.\r\nAfter sending the acknowledgement packet, the Trojan will gather local system information and include it in a\r\nbeacon to the C2 server. Like the packets sent in the key exchange, the beacon sent by the Trojan to the C2 server\r\nis 2048-bytes in length; however, the system information gathered by the Trojan is only 296 bytes followed by\r\n1752 are null values to fill the 2048 byte buffer. The system information follows the 296-byte structure seen\r\nbelow:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nstruct beaconToC2 {\r\nDWORD static_value_130h;\r\nCHAR username[128];\r\nCHAR computername[128];\r\nDWORD static_value_70000h;\r\nDWORD os_codepage;\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 15 of 27\n\n7\r\n8\r\n9\r\nDWORD campaign_code_1;\r\nDWORD campaign_code_2;\r\n};\r\nThe Trojan will encrypt this data using the key provided by the C2 and send it to the server. The Trojan will then\r\nwait for the C2 to respond, which it will decrypt and parse for FakeM commands. Unit 42 has been unable extract\r\nany plug-ins from C2 network traffic; however, several FakeM custom SSL samples contain embedded plug-ins\r\nthat run without interaction with the C2 server. Also, Unit 42 was able to extract several modules from the original\r\nFakeM server application, as seen in Table 3. All of these modules are shellcode-based plug-ins that would work\r\nwith the custom SSL variant of FakeM with little to no modification.\r\nMD5 Size (bytes) Description\r\n7a1410b2eceb99ec268b50e9371e74c1 3724 Process Plug-ins\r\n092085e76512f071cab12f76ed09b348 2412 Shell Plug-ins\r\n8f4cbb78356cb672bf2566e44315eb96 1768 File Plug-ins\r\n16ab40f84fc47bab2c7874bb3164c5b4 2268 Screen Plug-ins\r\n30337e99631a174d822dd3ea00a5f6cf 2204 Regedit Plug-ins\r\n1f3fbb789bcbe9186a50c4f4db269736 1996 Service Plug-ins\r\n4313d9d5fc6a090e2abc41633cb2c1fd 3196 HostInfo Plug-ins\r\nfe75dff8b86dd8989d2ca00df19d51be 2220 KeyBoard Plug-ins\r\n3e184a7af74905f3d3acbec913252f72 1884 Shell Plug-ins\r\nb59e8751b9f61bd4f4b9b62de8242751 3896 OE Pwd Plug-ins\r\n83ec457cba27e470404c942eb9242eeb 2156 U-Files Plug-ins\r\nTable 3: Modules extracted from the original FakeM variant's server application\r\nRelated to FakeM Original: CallMe\r\nCallMe is a Trojan designed to run on the Apple OSX operating system. This Trojan was delivered in targeted\r\nattacks on Uyghur activists in 2013 and used infrastructure associated with FakeM.\r\nIn February 2013, AlienVault performed analysis on the CallMe Trojan and found that it is based on a tool called\r\nTiny SHell, an OSX shell tool whose source code is available on the Internet. The Trojan uses AES to encrypt the\r\ncommunication channel its C2 server, which will provide one of three commands to carry out activities on the\r\ncompromised system, as seen in Table 4.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 16 of 27\n\nCommand Description\r\n1 Get a file from the system and upload it to the C2 server.\r\n2\r\nPut a file on the system from the C2 server. File is saved to a specified filename in \u003cHOME\r\ndirectory\u003e/downloads/.\r\n3 Create a reverse shell to interact with the compromised system.\r\nTable 4: Commands Available in the CallMe OSX Malware\r\nThe infrastructure overlap between FakeM and CallMe involves the fully qualified domain name (FDQN) of\r\n\"googmail.org\", which was used by both FakeM and CallMe samples. This suggests that not only do these threat\r\nactors have the ability to compromise victims running the Microsoft Windows operating system, but they can also\r\ntarget individuals running Apple's OSX as well.\r\nRelated to FakeM Custom SSL: Psylo\r\nDuring infrastructure analysis of FakeM Custom SSL variants, Unit 42 found infrastructure overlaps between\r\nFakeM and another new, previously unreported Trojan that we named “Psylo”. Psylo is a tool that allows threat\r\nactors to upload and download files to and from a compromised system, as well as execute commands and\r\napplications on the system. The name Psylo is an anagram from the mutex created when initially running this\r\npayload, which is 'hnxlopsyxt'.\r\nPsylo is similar to FakeM in that they are both shellcode-based, and they have similar configurations and C2\r\ncommunication channels. As you can see from the following two configuration structures, Psylo and FakeM have\r\nsimilar configurations with only the array length of the C2 locations being different.\r\nstruct psylo_c2_config {char[60]\r\nc2_host_1;char[60] c2_host_2;char[60]\r\nc2_host_3;DWORD c2_port_1;DWORD\r\nc2_port_2;DWORD c2_port_3;};\r\nstruct fakem_customssl_c2_config {char[64]\r\nc2_host_1;char[64] c2_host_2;char[64]\r\nc2_host_3;DWORD c2_port_1;DWORD\r\nc2_port_2;DWORD c2_port_3;};\r\nFigure 15: Comparison between Psylo and FakeM custom SSL configurations\r\nBoth use SSL to communicate with their C2 servers, and it appears they share common code to carry out the\r\nDiffie Hellman key exchange. We compared the Diffie Hellman code from Psylo with FakeM custom SSL variant\r\nand found that they were very similar, but the FakeM samples had some of the functionality within sub-functions,\r\nwhich rendered binary diffing between the two Trojans impossible.\r\nAnother slight difference involves how Psylo and FakeM generate random numbers for SSL. FakeM uses\r\nQueryPerformanceCounter to create a random number, whereas Psylo uses CryptGenRandom, both of which\r\ngenerate random numbers 68 bytes long. Interesting enough is that CryptGenRandom calls RtlGenRandom, which\r\nuses QueryPerformanceCounter along with other system attributes to generate a random number.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 17 of 27\n\nWhen communicating with its C2 server, Psylo will use HTTPS with a unique user-agent of (notice the lack of a\r\nspace between \"5.0\" and \"(Windows\"):\r\nMozilla/5.0(Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\r\nUnit 42 does not consider Psylo another variant of FakeM because Psylo has a command handler that differs\r\ndramatically from FakeM. Table 5 shows the Psylo command handler, which suggests it is less modular and\r\nsupports more embedded functionality when compared to FakeM. It is possible that the threat actors created this\r\nTrojan as a standalone alternative to FakeM.\r\nCommand Description\r\n0 Idles for 10 seconds.\r\n2 Enumerate all storage devices.\r\n3 Find all files that starts with a particular string (%s*.*).\r\n5\r\nCreates a file to write to, deleting it if it already exists. Combined with 'E' command to\r\ndownload a file to the system.\r\nE\r\nWrites data from C2 to a file opened using the '5' command. Combined with '5' command to\r\ndownload a file to the system.\r\n6 Reads a file, which effectively uploads the file to the C2.\r\n7 Delete a specified file.\r\n8 Execute a command using WinExec. Responds to C2 with 's' if successful or 'r' if unsuccessful.\r\n9\r\nTimestomps. Sets a specified file's timestamps to match that of a system file in the System32\r\ndirectory.\r\nTable 5: Command handler in Psylo that differs dramatically from FakeM\r\nMobileOrder: Mobile Devices the Next Frontier\r\nAnother discovery we made while researching this blog is an overlap between Psylo infrastructure and a Trojan\r\nfocused on compromising Android mobile devices. Unit 42 tracks this mobile Trojan as MobileOrder, as the\r\nauthors specifically refer to commands within the app as orders. The connection between FakeM, Psylo, and\r\nMobileOrder suggest that Scarlet Mimic is now expanding their espionage efforts from PCs to mobile devices,\r\nwhich marks a major shift in tactics.\r\nMobileOrder starts by registering itself as device administrator so that a normal user cannot uninstall it by simply\r\nclicking “uninstall” in settings. It will copy an embedded PDF file from “res/raw/rd.pdf” to SD card\r\n\"/android/9074ca3f18e201c204ec1d852264bb5432644ba46f54f361a146957.pdf\" and launches the mobile\r\ndevice’s default PDF viewer to display this PDF file, which acts as a decoy document. After displaying the decoy\r\ndocument, the malicious code runs in background. The malicious code consists of the following parts:\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 18 of 27\n\n1. An Android geographical location SDK provided by AMAP.\r\n2. Actor developed code that carries out Trojan’s functionality.\r\nThe malware uses the AMAP SDK to get accurate location of infected devices by GPS, mobile network (such as\r\nbase stations), WiFi and other information. MobileOrder acts on instructions provided by its C2 server, which it\r\ncommunicates with over TCP port 3728. All C2 communications are encrypted with the AES algorithm using a\r\nkey generated by computing five MD5 hashes starting with the key \"1qazxcvbnm\", and adding a salt value of\r\n“.)1/” in each iteration.\r\nThe C2 server will respond to requests from MobileOrder with commands that the Trojan refers to as “orders”.\r\nMobileOrder contains a command handler with functionality that provides a fairly robust set of commands, as\r\nseen in Table 6. The first byte of data provided by the C2 server is order number, which is followed by the\r\nencrypted data that needed to carry out the specific order.\r\nOrder\r\n#\r\nOrder Name Behaviors\r\n18 Order_Folder_List Upload names and attributes of files under specified path\r\n20 Order_Process_List Upload all running processes information\r\n24 Order_HostInfo\r\nUpload device information including IMEI, IMSI, SIM card serial\r\nnumber, phone number, Android version, device manufacturer,\r\ndevice model, SD card size, network type, device locking status,\r\ncountry, carrier, time zone, language, install app list, browser\r\nbookmarks, etc.\r\n26 Order_FileDelete Delete specified file\r\n27 Order_DownLoad Download specified file to SD card’s Android/data/tmp/ directory.\r\n28 Order_UpFile Upload specified file to C2 server\r\n51 Order_Sms\r\nUpload all received and sent SMS addresses, content, date, time to\r\nC2 server\r\n52 Order_Contact Upload all contacts’ information to C2 server\r\n53 Order_Call Upload all phone calling history information\r\n54 Order_Camera_front_photo Take a picture by device’s front camera\r\n56 Order_SetSleepTime Set sleep time interval\r\n57 Order_SetOnline Stop sleep\r\n58 Order_SetMediaRecorder Start audio recorder in specified time\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 19 of 27\n\n59 Order_GetLoc\r\nUpload information about network operator, MCC, MNC, network\r\ntype, GSM cell location, CID, LAS, BSSS, etc. This information\r\ncan be used to locate the device.\r\n60 Order_GetGps Upload GPS location by AMAP SDK.\r\n61 Order_SetTelRecorderOn Activate phone calling recording\r\n62 Order_SetTelRecorderOff Deactivate phone calling recording\r\n81 Order_Install\r\nInstall specified APK file. May install silently or install to system\r\napp according to C2 command data\r\n82 Order_Uninstall Uninstall specified app\r\n84 Order_StartApp Launch specified app\r\n85 Order_SendBroadcast Send specified Android broadcast to launch other apps\r\n86 Order_Shell Execute specified shell commands\r\n87 Order_OpenTrack Start geolocation tracking in AMAP SDK\r\n88 Order_CloseTrack Stop geolocation tracking in AMAP SDK\r\n90 Order_CheckScreen\r\nCheck whether phone screen is on (or said whether the phone is\r\nused by its owner)\r\nTable 6: MobileOrder command handler\r\nInfrastructure Overlap and Related Tools\r\nThere is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants, as well other\r\nTrojans such as MobileOrder, Psylo, and CallMe. There are also infrastructure ties between some FakeM variants\r\nand older activity using Trojans such as Elirks, Poison Ivy, and BiFrost, which were used in attacks as old as 2009.\r\nThe domain names used to host C2 servers are a mix of actor-registered and Dynamic DNS (DDNS,) though most\r\nare DDNS. The DDNS domains in turn are linked to a small grouping of ASNs, with one ASN often largely tied to\r\none FakeM variant. Most of the FakeM MSN C2s resolve to IP addresses associated with ASN 22781 (RBLHST -\r\nReliablehosting.com). However, we found one MSN sample that shared infrastructure with some FakeM Custom\r\nSSL variants.\r\nThere is a similar overlap between FakeM MSN, FakeM HTML, and FakeM SSL. The registrant email\r\nxsldmt@xj163[.]cn was used to register several domains used as C2s: yourturbe[.]org, websurprisemail[.]com and\r\ngoogmail[.]org. One of these domains was also used in the 2013 CallMe activity at the same time it was being\r\nused for FakeM MSN samples. The targeting and decoy style also matches with the FakeM activity.\r\nThere is PE resource overlap between some FakeM MSN samples and some samples of the BiFrost and Poison\r\nIvy Trojan. This may indicate that the same developer who created the particular BiFrost and Poison Ivy samples\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 20 of 27\n\nwas also involved in developing FakeM MSN. Unit 42 found an overlap between the RT_VERSION resources,\r\nwhich contains the version information of a Portable Executable (PE) file, shared amongst the three different\r\nTrojans. The shared RT_VERSION resource (MD5: 55b7a118203a831cc69b37b785015c54) contained the\r\nfollowing information:\r\nComments: Release\r\nCompanyName: Develop Team\r\nFileDescription: Utility Application\r\nFileVersion: 4.0\r\nInternalName: Utility\r\nLegalCopyright: Copyright (C) 2008\r\nLegalTrademarks: DT.Inc\r\nOriginalFilename: Utility.EXE\r\nPrivateBuild: 4.0b\r\nProductName: Utility Application\r\nProductVersion: 4.0\r\nThe overlap between Elirks, FakeM SSL, Psylo, and MobileOrder exists entirely in their command and control\r\ninfrastructure, through domain names and/or IP resolution. Samples of these three used some of the same C2\r\ndomains, notably lenovositegroup[.]com, ufoneconference[.]com, and websurprisemail[.]com, while some\r\nresolution overlap includes 118.193.212[.]12, 210.206.219[.]241, and 59.188.239[.]117. Similarly, some FakeM\r\nYahoo C2 domains and FakeM Custom SSL C2 domains also have overlapping IP resolutions, notably\r\n95.154.204[.]198.\r\nScarlet Mimic also uses the infamous HTRAN tool on at least some of their C2 servers. HTRAN is a proxying\r\ntool that allows actors to conceal the true location of their C2 server. Actors will run HTRAN on a server and\r\nconfigure their malware to interact with that server; however, the actor will configure HTRAN to forward traffic\r\nto another server where the actual C2 server exists. For example, the FakeM C2 domain of\r\n“muslim.islamhood[.]net”\r\n[1]\r\n resolved to the IP address 59.188.239.117 during analysis, but the server responded\r\nwith the following error message:\r\n[SERVER]connection to 68.71.35.135:8081 error\r\nThis error message suggests that the HTRAN application running on 59.188.239.117 was unable to connect to the\r\nreal C2 server hosted at 68.71.35.135.\r\nPrior Publications\r\nThroughout this report, we have referenced multiple previous blogs and white papers, from Unit 42 and others,\r\nthat have documented elements of this threat in the past. In addition to those documents readers may also find the\r\nfollowing publications interesting.\r\nIn 2014, Citizen Lab released a paper on threats against civil society that referenced some of these attacks as the\r\n“Domain Name Family” or DNF.\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 21 of 27\n\nKaspersky Lab has produced excellent research on attacks against Uyghur and Tibetan activists. In 2013, they\r\nidentified an Android Trojan that was also targeting these groups. Our analysis indicates this malware is different\r\nfrom the MobileOrder Trojan described above, but they serve very similar purposes.\r\nOn January 12, 2016, Cylance published a blog linking an exploit document to the group Mandiant refers to as\r\nAPT2 and CrowdStrike as “Putter Panda.” While there does appear to be a small overlap between IP addresses\r\nused in attacks from this group and those of Scarlet Mimic, our team has not concluded that these groups are one\r\nin the same.\r\nConclusion\r\nThe information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and\r\nskillfully resourced cyber adversary. Scarlet Mimic has carried out attacks using both spear-phishing and watering\r\nholes since at least 2009 with increasingly advanced malware, and has deployed malware to attack multiple\r\noperating systems and platforms. Despite the apparent technical acumen, their decoy documents are typically not\r\nwell crafted regardless of the use of the target’s language, though they do use timely subject lures.\r\nThe primary source of data used in this analysis is Palo Alto Networks WildFire, which analyzes malware used in\r\nattacks from around the globe. The system is also fed with malware samples collected through sharing partnership\r\nwith other security vendors, including our partners in the Cyber Threat Alliance. To connect attacks to each other\r\nbased on malware behavior and command and control infrastructure, we relied on Palo Alto Networks AutoFocus\r\nthreat intelligence. AutoFocus users can view all of the files related to Scarlet Mimic and the malware associated\r\nwith the group using the following links:\r\nScarletMimic\r\nFakeM\r\nPsylo\r\nMobileOrder\r\nPalo Alto Networks customers are protected from Scarlet Mimic attacks through many components of our\r\nplatform.\r\nThreat Prevention signatures for the software vulnerabilities listed in this report are available to detect the\r\nexploit files during delivery.\r\nTraps, our advanced endpoint solution, can prevent the software vulnerabilities listed in this report from\r\nbeing exploited on a Windows host.\r\nWildFire classified all of the Android and Windows malware described in this report as malicious.\r\nWe have released anti-malware signatures for the files listed in this report.\r\nThe domain names used for command and control have been classified as malicious in PANDB.\r\nScarlet Mimic Indicator Data\r\nFakeM Custom SSL Samples\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 22 of 27\n\n12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d\r\n33e50c44804d4838dba6627b08210029ff9106fa7fd16cd7255271e153f58b05\r\n3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520\r\n5182dc8667432d76a276dc4f864cdfcef3e481783ebaf46d3b1397080b798f4a\r\n523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b\r\n5dade00db195087aa336ce190b5fd1c22992c49556c623b42a9f742d73241a7f\r\n7156f6416e7116e52f9c67f4e716b1dbea17387e61009c7f2825debbbb4dcb73\r\n79aca57905cca1e56b0cedf48a4d81812639c333ee6532d90a074d64b3852d6f\r\n879edf0417c4a9759040b51bf83b2fc918a6644a7c29a52252003a63036aea5c\r\n9b77bbb620f50632fae17c40c7469fc93ffdbc4136a6d893a9a10a44bc435da5\r\na1b7fe2acdb7a5b0c52b7c1960cfad531a7ca85b602fc90044c57a2b2531699f\r\na268cc4931781d1d8094a4f8f596c2de3d662f2581c735b0810ff0ecefe3f859\r\na4abbcfdbf4a6c52349a843eac0396e6d8abb05f1324223980d824629a42ef7a\r\na569f3b02a4be99e0b4a9f1cff43115da803f0660dd4df114b624316f3f63dc6\r\nb4c1e9c99f861a4dd7654dcc3548ab5ddc15ee5feb9690b9f716c4849714b20d\r\nbbdedcfe789641e7f244700e8c028ef51094b66508f503876eb0d6aa16df6aa8\r\nc7b9e6b5ab07e6da404af9894c8422d9a0c9586334ddc0a3c1ea6bf23ef97fb2\r\ncaeace73a17e220634525d2a4117525fd60cb86a06873c86571e89d156f8d72d\r\ncaf76e19a2681dd000c96d8389afc749e774c083aef09f023d4f42fbc49d4d3d\r\ne96097826179a66cc3061be0f99f7b55cc9692a6378b5c4364699327823098ab\r\nf511b13341c9fb4ec9ecfcfe5a5813b964c362d7c709c402ead4e010d857bf6c\r\nfa08a498da0b31e77669d51a28dff166d84983fa6af693063c08f312fdce93e3\r\ndf9872d1dc1dbb101bf83c7e7d689d2d6df09966481a365f92cd451ef55f047d\r\nFakeM SSL Samples\r\n0aab09bf0db30a4be28d19475082fd5e7f75879bf9029fdd8dfc3a1e1f072b0c\r\n2e1472a65a8df43c8bc9b0aff954fbc1a093c4214f6a718a08e1321db83ca683\r\n3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90\r\n41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33\r\n4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3\r\n5154511a439bb367b7dd56232eb15281cb6dc4d64ea3a06e7fbbe6b176e385d4\r\n5fae5750797ebe7e7a6a6919a7d66deffb141ec28737bd72a1f7da8edd330b60\r\naa8a302a53bd39b2d2a6e3d8497575e2a5f9757b248e34c8e0821ce9eee5cc32\r\nb3c9bb22fa1bc358dc23a1a4bdaf85ad1add4d812b107b7ab887affbf689933a\r\ncd506679fd32dab16dee6fbf1cfdfe0836e092a4f5669418a199d99c9cd33abd\r\nd1dd4469c7b5c462e5ff2dcef5d22775250e9ebf395f65da624f18ea7144e173\r\nd698008e417da867d02e2f5cdcc80ff92af753dd585fada42fc611c2d7332c3a\r\nFakeM Original Samples\r\n53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60\r\n9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 23 of 27\n\n53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e\r\n631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3\r\n7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8\r\n7c9421a4605decfa1b3e22addbca98d86ea757dcd8ff8e075d13228c99618637\r\n202975d10ba417cf441e8f9986d2496807fe39e057d3226ec3b2713f0c218cd8\r\n22e7517d8996e92998eb996416f9d8ef06b3b1c220c1a5d29ccd5aaef7b10c72\r\n435df30d139ccbe5ce4e5ca6fe072e42e96d5ea1efd5317deebce462ecccc7ab\r\n47d9ba5f7bf70c5d2b7a832e070957cc7ebdcfd0a6ee75851df16dc45971ce8a\r\n4a3d0df9fa198a7ebe45db5239d22067e74924b1aace52029b3acc9b51af691e\r\n4d539f638ed476ca08da838cdfbf710dae82b582256d60a009e9d304f6822e65\r\nbe0e8da7e261ec7d08eaa78e79ceb1be47c324b8e142097bf6569f9471c98a4e\r\nc30d03750458bb5f2b03d6bd399ffca6d378a3adb5a74bee3b6ba4b982dbf273\r\ncc7db456825e266849090b6fa95a94ad8c4c717712b610b0d39077af5222f4be\r\nd6d2a77f8ed2fe9fed9ee6dcb4cc0b339ba47a575c717c35815243c752d8f60c\r\ndb8338e6b883fdceaa02c10ad683547a26ae32e0d4641cc24c7bd3b45154abb0\r\ne8e5ecf525c5259651bfbdf1923215729ec67658225eca1b02519f5f6279eacb\r\nec4deb761b09ddc706804ef669836cf4b199f1d74b14ad623a6f6cc2f38190b8\r\n669ce0975c133d54e414dbf1de546aed742e76fe3e60568e2bd4747b7e0f8b70\r\n0d77f5f1d4c0f02fb88ac33fa365b17d28d1521cea59329ca4b3dd0b7031a60e\r\n363d9557861fab2d83d04847b967996361e670e571b335c7a535bc6278cba149\r\n7fb2c37431fd7b05414b134732ba0b29cd7dad17fc176627ee0815aac60c1ab9\r\n77e4ef9e08f1095487b4fa27492b4c9b8e833f29598f99a0d10f7c85b4254761\r\na4ffca5f1c3d9c21629fa98a1e91121d954ab9347e86ac3c9613dae61bf30393\r\n428121c421bf81a0d689014cf21ec7951b0c32add86198e06f7d636981f68755\r\na195f564aa2fb66db119e2fbec93e319a973e5cf50fbf9fc08bd81f9b7ee8af8\r\nc1e8ff8ebe3754bc7d14509ef3678edf7551d876d3fa847d07d469c09bceae91\r\n53238f67ac7e4cc27264efbacc8712bd97a5775feaf633c63adaa0785d038e8a\r\n508a7cab0f2a69ba66e92e86817a49ecd1b9c8ae11a995147944995fc868dfad\r\nfb60d14de4dba022f11437845d465a661d0c78d3d097a38770816f06992bf0af\r\n8da2f9afd914a4318a97f4d74809c0c383f8ebf0d3d6e3d3715efbd71a66a52f\r\n6fe33c672fd30bba9bbc89dc7d88993d8783382c9f9c510677b1bb068a5f1e51\r\n6a1c7999b4ba92899d3364fc729d0f052680be5a71dd0f13cbabdb19b82bf858\r\n5db51f2f7c31de7d165ec4892ae7dcedaa036caedeef718b57953d7935582f04\r\n27167a9d63f5ddc68a12decb1a1e0a2a29c72fe0681dca2c4f3d169f048a9d38\r\n6f10c892133b5dac6c40cfe77ca32b42572bc56909481b236080dfc143ef9afd\r\nde12cd8d11478d17342c60239837c1afcc9fee72df6ffdf9943802640d43f77a\r\n0f2db64b8283b76d49c9bb272beafab8323f941b6dc3888b42ff02f08634d016\r\nPsylo Samples\r\n19bbee954ac1a21595e63cb86d1a596236aed353804aec5cb8adfa62e70280d3\r\na9f0bddc3d3516af8355e8ac17309528cd018347e5f56a347c14da0a83b0028a\r\n00bb399c429e0f1f7de751103fe92b5f820d1686d01662a08583b7a94aaed94e\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 24 of 27\n\nMobileOrder Sample\r\n03004ccc23033a09532bea7dfa08c8dfa85814a15f5e3aedb924a028bcd6f908\r\nCallMe Samples\r\n071c34b9701dd84f9590ba899a8af3eeec228a928f2d98a80dbc780e396ee01a\r\nd1f0658bbb15ab2bccc210d7e1f21b96e14ae22de8494ca95b12e182f3d0f693\r\n9ff687a813a5cb5ff10374c86f852534c1aa3e5a221123214bf52b2ff455a5da\r\n8c423506c0c7ebe1e61071374ecf0806463a02a2100b5daa1bd942129ff8a235\r\n91e36e720477146f1a0c050d3bc74bc6683a03e7631317ded3c598a10465dcc8\r\nc981db20d588ba2d0f437b4e5459e7c6763f52a97841450c94591ca28a9a2d69\r\n95dba004f949e44cb447246f3d2420b01db4541d0e4fa7b00d798f38a3d251e4\r\nFakeM Custom SSL C2 Servers\r\naaa123.spdns[.]de\r\nadmin.spdns[.]org\r\ndetail43.myfirewall[.]org\r\neconomy.spdns[.]de\r\nfirefox.spdns[.]de\r\nfirewallupdate.firewall-gateway[.]net\r\nintersecurity.firewall-gateway[.]com\r\nkaspersky.firewall-gateway[.]net\r\nkasperskysecurity.firewall-gateway[.]com\r\nkissecurity.firewall-gateway[.]net\r\nmail.firewall-gateway[.]com\r\nnews.firewall-gateway[.]com\r\nopero.spdns[.]org\r\nsys.firewall-gateway[.]net\r\nFakeM SSL C2 Servers\r\naccount.websurprisemail[.]com\r\naddi.apple.cloudns[.]org\r\nbailee.alanna.cloudns[.]biz\r\nbee.aoto.cloudns[.]org\r\nbook.websurprisemail[.]com\r\ndesk.websurprisemail[.]com\r\ndolat.diyarpakzimin[.]com\r\ndolat.websurprisemail[.]com\r\ndolet.websurprisemail[.]com\r\ngithub.ignorelist[.]com\r\nislam.youtubesitegroup[.]com\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 25 of 27\n\nmareva.catherine.cloudns[.]us\r\nmuslim.islamhood[.]net\r\np.klark.cloudns[.]in\r\nppcc.vasilevich.cloudns[.]info\r\npress.ufoneconference[.]com\r\nvip.yahoo.cloudns[.]info\r\nFakeM Original C2 Servers\r\n207.204.225[.]117\r\naccounts.yourturbe[.]org\r\naddnow.zapto[.]org\r\nbits.githubs[.]net\r\nclean.popqueen.cloudns[.]org\r\neconomy.spdns[.]eu\r\neemete.freetcp[.]com\r\nemail.googmail[.]org\r\nfish.seafood.cloudns[.]org\r\nfreeavg.sytes[.]net\r\nfreeonline.3d-game[.]com\r\nibmcorp.slyip[.]com\r\nlemondtree.freetcp[.]com\r\nliumingzhen.myftp[.]org\r\nliumingzhen.zapto[.]org\r\nn.popqueen.cloudns[.]org\r\nnews.googmail[.]org\r\noic-oci.3-a[.]net\r\npolat.googmail[.]org\r\nqq.ufoneconference[.]com\r\nqq.yourturbe[.]org\r\nsisiow.slyip[.]com\r\nupdate.googmail[.]org\r\nuprnd.flnet[.]org\r\nvideo.googmail[.]org\r\nwebmail.yourturbe[.]org\r\nworldwildlife.effers[.]com\r\nwww.angleegg.ddns[.]us\r\nwww.angleegg.xxxy[.]info\r\nwww.googmail[.]org\r\nyouturbe.co[.]cc\r\nyycc.mrbonus[.]com\r\nzjhao.dtdns[.]net\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 26 of 27\n\nPsylo C2 Servers\r\napple.lenovositegroup[.]com\r\nmm.lenovositegroup[.]com\r\nftp112.lenta.cloudns[.]pw\r\nwww.gorlan.cloudns[.]pro\r\notcgk.border.cloudns[.]pw\r\nMobileOrder C2 Servers\r\nziba.lenovositegroup[.]com\r\nCallMe C2 Servers\r\napple12.crabdance[.]com\r\nupdate.googmail[.]org\r\napple12.crabdance[.]com\r\nalma.apple.cloudns[.]org\r\nSource: http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nhttp://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" ], "report_names": [ "scarlet-mimic-years-long-espionage-targets-minority-activists" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "abd17060-62f6-4743-95e8-3f23c82cc229", "created_at": "2022-10-25T15:50:23.428772Z", "updated_at": "2026-04-10T02:00:05.365894Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "Putter Panda", "APT2", "MSUpdater" ], "source_name": "MITRE:Putter Panda", "tools": [ "pngdowner", "3PARA RAT", "4H RAT", "httpclient" ], "source_id": "MITRE", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434223, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18c45f1e4f572cffc670f0747c46daf617980f53.pdf", "text": "https://archive.orkl.eu/18c45f1e4f572cffc670f0747c46daf617980f53.txt", "img": "https://archive.orkl.eu/18c45f1e4f572cffc670f0747c46daf617980f53.jpg" } }