S0077: CallMe
Analyst context for executives and security teams
CallMe is a macOS Trojan based on the publicly available Tiny SHell tool. Its business significance is less about a broad malware family profile and more about validating whether macOS endpoints are covered for shell-based execution, command-and-control traffic, inbound tool transfer, encrypted C2, and possible exfiltration over the same C2 channel.
Executive priority
Treat this as a macOS coverage-check item for resilience and incident readiness. Leaders should ask whether managed detection, endpoint logging, network monitoring, and response playbooks include macOS systems with the same rigor as Windows. The relationship to Scarlet Mimic provides threat-intelligence context, but the supplied ATT&CK data does not justify assumptions about current targeting, active exploitation, or attribution in a specific environment.
Technical view
SOC and IR teams should validate visibility for macOS process execution involving Unix shells, unexpected file downloads or tool staging, outbound C2-like connections, encrypted traffic patterns that do not align with approved applications, and data movement over established outbound channels. Because ATT&CK provides no official detection text for CallMe, detections should be built from the related behaviors: T1059.004 Unix Shell, T1105 Ingress Tool Transfer, T1573.001 Symmetric Cryptography, and T1041 Exfiltration Over C2 Channel.
Likely telemetry
- macOS endpoint process execution logs, especially shell invocation and parent-child process context
- macOS file creation, modification, and quarantine/download metadata where available
- Network connection metadata from macOS hosts, including destination, protocol, timing, and volume
- Proxy, firewall, DNS, and secure web gateway logs for outbound C2-like activity
- Endpoint detection telemetry for suspicious tool transfer or execution from user-writable paths
Detection direction
- Validate that macOS endpoints are onboarded to endpoint and network monitoring; many programs have weaker macOS telemetry than Windows telemetry.
- Correlate shell execution with unusual parent processes, newly created files, outbound network sessions, or follow-on tool transfer rather than alerting on shell use alone.
- Look for ingress tool transfer patterns from external systems to macOS hosts, especially when followed by execution.
- Review outbound encrypted traffic that is inconsistent with approved application behavior; avoid assuming encryption alone is malicious.
- Hunt for data movement over already-established outbound sessions, consistent with exfiltration over C2 channel behavior.
Mitigation priorities
- Prioritize macOS endpoint management, logging, and EDR coverage for systems with sensitive data or privileged access.
- Restrict unnecessary outbound connectivity from macOS endpoints and monitor egress paths used for file transfer or long-lived sessions.
- Apply least privilege and application control practices where feasible to reduce unauthorized shell-driven execution and tool staging.
- Maintain response playbooks for isolating macOS systems, collecting process/network/file evidence, and assessing possible data exfiltration.
- Ensure compliance evidence includes macOS monitoring, egress control, and incident-response readiness rather than focusing only on Windows assets.
Analyst notes and limits
The supplied ATT&CK object identifies CallMe as a macOS Trojan based on Tiny SHell and links it to Scarlet Mimic plus four techniques: Unix Shell, Ingress Tool Transfer, Symmetric Cryptography, and Exfiltration Over C2 Channel. The most useful defensive value is to test whether those behavior classes are observable and actionable in the local macOS estate.
MITRE provides no official detection guidance, no aliases, and no object-level tactics for CallMe in the supplied fields. This take does not infer current exploitation, victim exposure, specific indicators, or guaranteed detection. Local telemetry, asset inventory, and threat-hunting results are required to determine relevance.
CallMe
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | CallMe has the capability to download a file to the victim from the C2 server.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | CallMe uses AES to encrypt C2 traffic.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | CallMe has the capability to create a reverse shell on victims.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | CallMe exfiltrates data to its C2 server over the same protocol as C2 communications.CitationScarlet Mimic Jan 2016 |
Groups, software, and campaigns
G0029: Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 91307f81c910… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Scarlet Mimic Jan 2016
Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
Open source URL -
[2]
mitre-attack S0077Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.