{ "id": "fcf2b6a0-1f9c-4ced-a341-a1e345008645", "created_at": "2026-04-06T00:17:19.337706Z", "updated_at": "2026-04-10T03:32:35.354902Z", "deleted_at": null, "sha1_hash": "77ca76215df94fe87ed66e0f768e2192fe03311b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53361, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:51:28 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FakeM\n Tool: FakeM\nNames\nFakeM\nFakeM RAT\nTerminator RAT\nCategory Malware\nType Backdoor\nDescription\n(Trend Micro) We found a family of RATs that we call “FAKEM” that make their\nnetwork traffic look like various protocols. Some variants attempt to disguise network\ntraffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another\nvariant tries to make the content of its traffic look like HTML. While the disguises the\nRATs use are simple and distinguishable from legitimate traffic, they may be just good\nenough to avoid further scrutiny.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool FakeM\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=821cb159-baed-4d8b-9ac4-5740abcd6b2b\nPage 1 of 2\n\nScarlet Mimic 2015-Aug 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=821cb159-baed-4d8b-9ac4-5740abcd6b2b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=821cb159-baed-4d8b-9ac4-5740abcd6b2b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=821cb159-baed-4d8b-9ac4-5740abcd6b2b" ], "report_names": [ "listgroups.cgi?u=821cb159-baed-4d8b-9ac4-5740abcd6b2b" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434639, "ts_updated_at": 1775791955, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/77ca76215df94fe87ed66e0f768e2192fe03311b.pdf", "text": "https://archive.orkl.eu/77ca76215df94fe87ed66e0f768e2192fe03311b.txt", "img": "https://archive.orkl.eu/77ca76215df94fe87ed66e0f768e2192fe03311b.jpg" } }