Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Psylo is a new, previously unreported Trojan malware discovered by Unit 42 during an infrastructure analysis of FakeM Custom SSL variants. The malware was named after the anagram 'hnxlopsyxt', which is the mutex created when initially running the payload. Psylo has been found to have overlaps with FakeM, Elirks, and MobileOrder in terms of command and control infrastructure, including domain names and IP resolution. However, it's important to note that Psylo is not considered another variant of FakeM due to its distinct command handler. The command handler in Psylo differs dramatically from that of FakeM, as shown in Table 5. It suggests that Psylo is less modular but supports more embedded functionality compared to FakeM. This difference, along with the comparison between Psylo and FakeM custom SSL configurations (Figure 15), indicates that while there may be similarities, Psylo is a unique entity in the world of malware. The connection between FakeM, Psylo, and MobileOrder implies that Scarlet Mimic, a known threat actor, is expanding their espionage efforts from PCs to mobile devices. This marks a significant shift in tactics. Additionally, an overlap was discovered between Psylo's infrastructure and a Trojan focused on compromising Android mobile devices. When communicating with its C2 server, Psylo uses HTTPS with a unique user-agent, notably lacking a space between "5.0" and "(Windows". This discovery underscores the evolving nature of cyber threats and the need for robust security measures against such sophisticated malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CallMe is a type of malware, specifically a Trojan, designed to operate on the Apple OSX operating system. It was first analyzed in February 2013 by AlienVault, who discovered that it is based on a tool called Tiny SHell, an open-source OSX shell tool available on the internet. The CallMe Trojan has
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FakeM is a malware family first exposed in 2013 by Trend Micro, named for its command and control traffic mimicking Windows Messenger and Yahoo. The malware primarily operates as a Windows backdoor, used extensively by the cyber-espionage group, Scarlet Mimic. Since its exposure, FakeM has undergone
MobileOrder is a sophisticated piece of malware designed to exploit mobile devices. It operates by registering itself as a device administrator, thus preventing users from simply uninstalling it through regular settings. MobileOrder communicates with its command and control (C2) server over TCP port
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Scarlet MimicUnspecified
Scarlet Mimic is a threat actor that has been active since at least 2009, deploying increasingly advanced malware to execute attacks primarily through spear-phishing and watering holes. The group's attacks center around the use of a Windows backdoor named "FakeM," first described by Trend Micro in 2
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Psylo Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists