S0076: FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [1]
Analyst context for executives and security teams
FakeM matters because ATT&CK describes it as a shellcode-based Windows backdoor with relationships to credential collection and covert command-and-control behaviors. For leaders, the practical issue is not just the malware name: it represents a scenario where an endpoint compromise may be used to capture keystrokes and communicate in ways designed to blend into or obscure normal network traffic.
Executive priority
Prioritize this as a resilience and identity-risk validation item for Windows environments. Ask whether the organization can prove it collects enough endpoint and network evidence to investigate a backdoor that may use keylogging, protocol/service impersonation, non-application-layer communications, and symmetric encryption. Because ATT&CK provides no official detection text for FakeM, coverage should be demonstrated through control validation and incident response playbooks rather than assumed from malware naming alone.
Technical view
SOC and IR teams should validate visibility around the ATT&CK relationships supplied for FakeM: T1056.001 Keylogging for credential-access/collection behavior, T1001.003 Protocol or Service Impersonation, T1095 Non-Application Layer Protocol, and T1573.001 Symmetric Cryptography for command-and-control. Since the malware platform is Windows and no official detection logic is provided, detection engineering should focus on behavior-level evidence from Windows endpoints and network controls rather than relying on a FakeM-specific signature.
Likely telemetry
- Windows endpoint detection and response events for suspicious backdoor-like process, memory, and execution behavior
- Host telemetry that can expose keylogging or abnormal credential-collection behavior
- Network flow, firewall, IDS, or packet metadata showing unusual outbound communication patterns
- Evidence of protocol or service impersonation, including traffic that appears to mimic legitimate services
- Telemetry capable of identifying non-application-layer or otherwise unusual protocol use where collected
Detection direction
- Do not treat the absence of ATT&CK-provided detection guidance as absence of risk; map coverage to the related techniques instead.
- Validate whether Windows endpoint tooling can surface keylogging-relevant behavior and suspicious shellcode/backdoor execution patterns.
- Tune network detections for protocol impersonation and encrypted C2 patterns while accounting for false positives from legitimate encrypted business traffic.
- Confirm whether the environment collects enough packet, flow, and firewall metadata to investigate non-standard or non-application-layer communications.
- Use the Scarlet Mimic relationship as threat-intelligence context, but do not assume attribution without local evidence.
Mitigation priorities
- Harden and monitor Windows endpoints where this malware is in scope.
- Reduce unnecessary outbound connectivity and apply egress controls that make unusual C2 paths easier to detect and contain.
- Prioritize credential protection and response procedures because the related behavior includes keylogging.
- Ensure incident response playbooks include host isolation, credential review, and network traffic analysis for suspected backdoor activity.
- Use ATT&CK technique relationships to drive control testing where malware-specific detections are not available.
Analyst notes and limits
ATT&CK identifies FakeM as a shellcode-based Windows backdoor used by Scarlet Mimic and links it to keylogging plus multiple command-and-control techniques. The most useful defensive takeaway is to validate behavior-based coverage for Windows endpoint compromise, credential capture, and covert network communication rather than focusing only on the malware family name.
The supplied ATT&CK object has no official detection text, no aliases, and no object-level tactics listed. This take is limited to the provided description, external references, and relationships; local telemetry, samples, incident data, or vendor detections would be required to assess actual exposure or coverage.
FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1095 | Non-Application Layer Protocol | Some variants of FakeM use SSL to communicate with C2 servers.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1056.001 | Keylogging Sub-technique | FakeM contains a keylogger module.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.CitationScarlet Mimic Jan 2016 |
Groups, software, and campaigns
G0029: Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 247b616863cc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Scarlet Mimic Jan 2016
Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
Open source URL -
[2]
mitre-attack S0076Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.