G0029: Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]
Analyst context for executives and security teams
Scarlet Mimic matters less as a broad technical profile and more as a reminder that targeted espionage-style activity can focus on specific communities and individuals. ATT&CK provides limited behavior detail for the group, but the relationships show use of Windows, macOS, and Android malware and a filename-disguise technique using right-to-left override characters. For leaders, the practical question is whether security coverage extends beyond standard corporate Windows endpoints to Mac and mobile users who may be exposed through targeted lures.
Executive priority
Treat this as a coverage-validation case for targeted user risk: executives should ask whether endpoint, mobile, email, and incident response processes can support investigations involving minority-rights, advocacy, legal, communications, or other high-risk user populations. Because ATT&CK does not provide detection guidance or current activity claims here, priority should be based on local exposure, user profile, and whether controls produce audit-ready evidence across Windows, macOS, and Android-relevant environments.
Technical view
SOC and IR teams should validate telemetry against the supplied relationships: FakeM and Psylo are Windows malware, CallMe is macOS malware, MobileOrder is intended for Android devices, and T1036.002 covers right-to-left override filename masquerading on Linux, macOS, and Windows. Since the group object has no tactics, platforms, or official detection text, detection engineering should start with relationship-driven hypotheses rather than assume a complete ATT&CK technique map.
Likely telemetry
- Endpoint process, file, and security-event telemetry from Windows systems
- macOS endpoint telemetry covering file creation, execution, persistence-relevant events, and network connections
- Mobile device management or mobile threat defense evidence for Android devices where applicable
- Email, web proxy, and file-ingress logs that may preserve attachment names and Unicode characters
- File-system and EDR records capable of exposing right-to-left override characters in filenames
Detection direction
- Validate whether tools preserve and display Unicode control characters such as U+202E rather than normalizing or hiding them.
- Tune detections for suspicious filename/display-name mismatches while accounting for legitimate multilingual filenames to reduce false positives.
- Confirm that Mac and Android investigative data is available; Windows-only monitoring would miss relationship-relevant coverage.
- Use the related software names as threat-intelligence pivots, but avoid treating name matches alone as sufficient evidence of Scarlet Mimic activity.
- Because ATT&CK provides no official detection text for the group, require local evidence from files, processes, network activity, and user context before escalating attribution.
Mitigation priorities
- Prioritize user-awareness and reporting paths for suspicious attachments or files with misleading names, especially for higher-risk user groups.
- Ensure endpoint protection and logging coverage includes Windows and macOS systems, and assess Android management/visibility where mobile risk is in scope.
- Harden file-ingress controls to inspect attachment names, extensions, and Unicode-obfuscated filenames.
- Maintain IR playbooks for targeted-user compromise investigations that include endpoint, mobile, email, and network evidence collection.
- Use threat-intelligence findings conservatively for enrichment and scoping, not as a substitute for environment-specific validation.
Analyst notes and limits
The ATT&CK description states Scarlet Mimic targeted minority rights activists, has not been directly linked to a government source, and only notes motivational overlap with the Chinese government. It also notes some IP overlap with Putter Panda but does not conclude the groups are the same. Those caveats should be preserved in reporting and executive briefings.
The supplied group object has no official detection guidance, no listed group tactics, and no group-level platforms. The technical guidance above is derived from supplied relationships to software and one technique, so organizations must validate relevance against their own users, assets, telemetry, and threat model.
Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.002 | Right-to-Left Override Sub-technique | Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.CitationScarlet Mimic Jan 2016 |
Groups, software, and campaigns
S0078: Psylo
Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [1]
S0079: MobileOrder
MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. [1]
S0077: CallMe
S0076: FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 6d8e971155bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Scarlet Mimic Jan 2016
Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
Open source URL -
[2]
Scarlet Mimic
(Citation: Scarlet Mimic Jan 2016)
-
[3]
mitre-attack G0029Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.