{ "id": "6dc725bc-ce04-45ab-b330-ca6f1d7b1bdd", "created_at": "2026-04-06T00:14:34.365255Z", "updated_at": "2026-04-10T03:32:35.341076Z", "deleted_at": null, "sha1_hash": "65de6f0b2e127b3a05327abf618514aeeb1b377d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50621, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:07:52 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Psylo\n Tool: Psylo\nNames Psylo\nCategory Malware\nType Backdoor, Exfiltration\nDescription\n(Palo Alto) Psylo is a tool that allows threat actors to upload and download files to and\nfrom a compromised system, as well as execute commands and applications on the\nsystem. The name Psylo is an anagram from the mutex created when initially running\nthis payload, which is ‘hnxlopsyxt’.\nPsylo is similar to FakeM in that they are both shellcode-based, and they have similar\nconfigurations and C2 communication channels.\nInformation\nMITRE ATT\u0026CK AlienVault OTX Last change to this tool card: 22 April 2020\nDownload this tool card in JSON format\nAll groups using tool Psylo\nChanged Name Country Observed\nAPT groups\n Scarlet Mimic 2015-Aug 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b7b401d-ef95-47dd-a63a-0adf01659f31\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b7b401d-ef95-47dd-a63a-0adf01659f31\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b7b401d-ef95-47dd-a63a-0adf01659f31\r\nPage 2 of 2\n\nAPT groups Scarlet Mimic 2015-Aug 2022 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b7b401d-ef95-47dd-a63a-0adf01659f31" ], "report_names": [ "listgroups.cgi?u=0b7b401d-ef95-47dd-a63a-0adf01659f31" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434474, "ts_updated_at": 1775791955, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/65de6f0b2e127b3a05327abf618514aeeb1b377d.pdf", "text": "https://archive.orkl.eu/65de6f0b2e127b3a05327abf618514aeeb1b377d.txt", "img": "https://archive.orkl.eu/65de6f0b2e127b3a05327abf618514aeeb1b377d.jpg" } }