{
	"id": "1dba7cb9-fea2-4b61-a481-c4f603d89e65",
	"created_at": "2026-04-06T00:07:28.542603Z",
	"updated_at": "2026-04-10T13:12:15.782525Z",
	"deleted_at": null,
	"sha1_hash": "24dbcfbc48196e3353d2a6057ef163e413897a75",
	"title": "Scarlet Mimic - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56951,
	"plain_text": "Scarlet Mimic - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:34:58 UTC\r\nHome \u003e List all groups \u003e Scarlet Mimic\r\n APT group: Scarlet Mimic\r\nNames\r\nScarlet Mimic (Palo Alto)\r\nGolfing Taurus (Palo Alto)\r\nG0029 (MITRE)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2015\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d130ffbe-6498-4559-9b16-58fb88146c45\r\nPage 1 of 3\n\nDescription\nScarlet Mimic is a threat group that has targeted minority rights activists. This group\nhas not been directly linked to a government source, but the group’s motivations\nappear to overlap with those of the Chinese government. While there is some\noverlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has\nnot been concluded that the groups are the same.\n(Palo Alto) The attacks began over four years ago and their targeting pattern\nsuggests that this adversary’s primary mission is to gather information about\nminority rights activists. We do not have evidence directly linking these attacks to a\ngovernment source, but the information derived from these activities supports an\nassessment that a group or groups with motivations similar to the stated position of\nthe Chinese government in relation to these targets is involved.\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and\nTibetan activists as well as those who are interested in their causes. Both the Tibetan\ncommunity and the Uyghurs, a Turkic Muslim minority residing primarily in\nnorthwest China, have been targets of multiple sophisticated attacks in the past\ndecade. Both also have history of strained relationships with the government of the\nPeople’s Republic of China (PRC), though we do not have evidence that links\nScarlet Mimic attacks to the PRC.\nScarlet Mimic attacks have also been identified against government organizations in\nRussia and India, who are responsible for tracking activist and terrorist activities.\nWhile we do not know the precise target of each of the Scarlet Mimic attacks, many\nof them align to the patterns described above.\nObserved\nCountries: Tibetan and Uyghur activists as well as those who are interested in their\ncauses.\nTools used\nBrutishCommand, CallMe, CrypticConvo, Elirks, FakeFish, FakeHighFive, FakeM,\nFullThrottle, HTran, MobileOrder, PiggyBack, Psylo, RaidBase, SkiBoot,\nSubtractThis.\nOperations performed Aug 2022\nCPR analyzes A 7-year mobile surveillance campaign targeting\nlargest minority in China\nInformation\nMITRE ATT\u0026CK Playbook https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d130ffbe-6498-4559-9b16-58fb88146c45\nPage 2 of 3\n\nLast change to this card: 16 August 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d130ffbe-6498-4559-9b16-58fb88146c45\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d130ffbe-6498-4559-9b16-58fb88146c45\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d130ffbe-6498-4559-9b16-58fb88146c45"
	],
	"report_names": [
		"showcard.cgi?u=d130ffbe-6498-4559-9b16-58fb88146c45"
	],
	"threat_actors": [
		{
			"id": "8c5c318c-0e71-4184-92bb-d1c28f68a411",
			"created_at": "2022-10-25T15:50:23.692481Z",
			"updated_at": "2026-04-10T02:00:05.409574Z",
			"deleted_at": null,
			"main_name": "Scarlet Mimic",
			"aliases": [
				"Scarlet Mimic"
			],
			"source_name": "MITRE:Scarlet Mimic",
			"tools": [
				"Psylo",
				"MobileOrder",
				"CallMe",
				"FakeM"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "abd17060-62f6-4743-95e8-3f23c82cc229",
			"created_at": "2022-10-25T15:50:23.428772Z",
			"updated_at": "2026-04-10T02:00:05.365894Z",
			"deleted_at": null,
			"main_name": "Putter Panda",
			"aliases": [
				"Putter Panda",
				"APT2",
				"MSUpdater"
			],
			"source_name": "MITRE:Putter Panda",
			"tools": [
				"pngdowner",
				"3PARA RAT",
				"4H RAT",
				"httpclient"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "468b7acd-895c-4c93-b572-b42f4035b4d4",
			"created_at": "2023-01-06T13:46:38.265636Z",
			"updated_at": "2026-04-10T02:00:02.902436Z",
			"deleted_at": null,
			"main_name": "APT2",
			"aliases": [
				"MSUpdater",
				"4HCrew",
				"SearchFire",
				"TG-6952",
				"G0024",
				"PLA Unit 61486",
				"PUTTER PANDA"
			],
			"source_name": "MISPGALAXY:APT2",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cac03bbf-0c42-470d-951e-0e92656be6cb",
			"created_at": "2023-01-06T13:46:38.463275Z",
			"updated_at": "2026-04-10T02:00:02.985402Z",
			"deleted_at": null,
			"main_name": "Scarlet Mimic",
			"aliases": [
				"Golfing Taurus",
				"G0029"
			],
			"source_name": "MISPGALAXY:Scarlet Mimic",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef",
			"created_at": "2022-10-25T16:07:24.086915Z",
			"updated_at": "2026-04-10T02:00:04.862463Z",
			"deleted_at": null,
			"main_name": "Putter Panda",
			"aliases": [
				"4HCrew",
				"APT 2",
				"G0024",
				"Group 36",
				"Putter Panda",
				"SearchFire",
				"TG-6952"
			],
			"source_name": "ETDA:Putter Panda",
			"tools": [
				"3PARA RAT",
				"4H RAT",
				"4h_rat",
				"MSUpdater",
				"httpclient",
				"pngdowner"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9fc2aed1-c838-41e9-b469-922e7bab6f94",
			"created_at": "2022-10-25T16:07:24.162936Z",
			"updated_at": "2026-04-10T02:00:04.886029Z",
			"deleted_at": null,
			"main_name": "Scarlet Mimic",
			"aliases": [
				"G0029",
				"Golfing Taurus"
			],
			"source_name": "ETDA:Scarlet Mimic",
			"tools": [
				"BrutishCommand",
				"CallMe",
				"CrypticConvo",
				"Elirks",
				"FakeFish",
				"FakeHighFive",
				"FakeM",
				"FakeM RAT",
				"FullThrottle",
				"HTran",
				"HUC Packet Transmit Tool",
				"MobileOrder",
				"Psylo",
				"RaidBase",
				"SkiBoot",
				"SubtractThis",
				"Terminator RAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24dbcfbc48196e3353d2a6057ef163e413897a75.pdf",
		"text": "https://archive.orkl.eu/24dbcfbc48196e3353d2a6057ef163e413897a75.txt",
		"img": "https://archive.orkl.eu/24dbcfbc48196e3353d2a6057ef163e413897a75.jpg"
	}
}