Scarlet Mimic

Scarlet Mimic is a threat actor that has been active since at least 2009, deploying increasingly advanced malware to execute attacks primarily through spear-phishing and watering holes. The group's attacks center around the use of a Windows backdoor named "FakeM," first described by Trend Micro in 2013. FakeM mimics command and control traffic from Windows Messenger and Yahoo, effectively camouflaging its malicious activities. Scarlet Mimic has also used a variety of loader Trojans to execute FakeM and has deployed Trojans targeting Mac OS X and Android operating systems, indicating an ability to attack multiple platforms. In July 2015, Scarlet Mimic notably delivered a spear-phishing email to a branch of the Russian government with the intent of installing a payload undetected by any antivirus vendors on VirusTotal. On January 12, 2016, cybersecurity firm Cylance linked an exploit document to the group Mandiant refers to as APT2 and CrowdStrike as "Putter Panda." While some overlap between IP addresses used in attacks from this group and those of Scarlet Mimic was observed, it was not concluded that these groups are identical. Based on analysis, it is evident that Scarlet Mimic has begun to expand its espionage efforts from PCs to mobile devices, marking a significant evolution in its tactics. This connection between FakeM, Psylo, and MobileOrder suggests a broader scope for their operations. The group also uses the infamous HTRAN tool on at least some of their Command & Control (C2) servers. Despite a well-established pattern of spear-phishing, there has been at least one instance where Scarlet Mimic deviated from this method, suggesting potential unpredictability in their strategies.