{ "id": "0a9f93cb-2372-4cd5-8830-29d1dcde29d4", "created_at": "2026-04-06T00:17:26.014562Z", "updated_at": "2026-04-10T03:32:35.357817Z", "deleted_at": null, "sha1_hash": "db3d8b2a5911315eb0d3ed4c0b8925c6ee150094", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51369, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:39:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CallMe\n Tool: CallMe\nNames CallMe\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) CallMe is a Trojan designed to run on the Apple OSX operating system. This\nTrojan was delivered in targeted attacks on Uyghur activists in 2013 and used\ninfrastructure associated with FakeM.\nIn February 2013, AlienVault performed analysis on the CallMe Trojan and found that it\nis based on a tool called Tiny SHell, an OSX shell tool whose source code is available\non the Internet. The Trojan uses AES to encrypt the communication channel its C2\nserver, which will provide one of three commands to carry out activities on the\ncompromised system.\nInformation\nMITRE ATT\u0026CK Last change to this tool card: 22 June 2023\nDownload this tool card in JSON format\nAll groups using tool CallMe\nChanged Name Country Observed\nAPT groups\n Scarlet Mimic 2015-Aug 2022\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=631376c6-c3e1-4edb-804a-bf09c77fc2a5\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=631376c6-c3e1-4edb-804a-bf09c77fc2a5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=631376c6-c3e1-4edb-804a-bf09c77fc2a5\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=631376c6-c3e1-4edb-804a-bf09c77fc2a5" ], "report_names": [ "listgroups.cgi?u=631376c6-c3e1-4edb-804a-bf09c77fc2a5" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434646, "ts_updated_at": 1775791955, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db3d8b2a5911315eb0d3ed4c0b8925c6ee150094.pdf", "text": "https://archive.orkl.eu/db3d8b2a5911315eb0d3ed4c0b8925c6ee150094.txt", "img": "https://archive.orkl.eu/db3d8b2a5911315eb0d3ed4c0b8925c6ee150094.jpg" } }